1

The Open Proxy Problem

Internet2 Members MeetingArlington VA, Wednesday, April 9th, 2003

Joe St Sauver, Ph.D. (joe@oregon.uoregon.edu)Director, User Services and

Network ApplicationsUniversity of Oregon Computing Center

http://darkwing.uoregon.edu/~joe/proxies/

2

I. Introduction

3

My interest in proxy servers• My interest in proxy servers goes back

many years now.• For example, I brought up the first Squid

box at the University of Oregon (then aSparc 5, wow! :-)), and I also encourageddeployment of caching web proxies atother Oregon University System schoolsand K12 sites statewide served by Oregon'sOWEN/NERO network.

4

Early exposure to casual attitudesabout web cache security

• I've also done beta testing of commercialcache boxes. My interest in proxy serversecurity really dates from that testing work.

• While testing one particular commercialcache appliance, I noted it had *no* accesscontrols at all; my feedback on that point tothe vendor was blown off, and I was told"don't worry, our caches will always bedeployed behind a firewall." No, they weren't.

5

What was old became new again• My interest in open proxy security issues

was rekindled this last year when it becameclear that spammers were exploitinginsecure proxy servers to inject unsolicitedcommercial email.

• Examples of bulk email software productstouting their use of proxies for sending bulkemail includes: G-Lock's EasyMail, ListSorcerer, Send-Safe, and many others.

6

Questions I had...• Clearly abuse of open proxies for sending

spam had become a systematic/structuralphenomenon. I became intrigued, anddecided I should study the open proxies thatwere being abused. Questions I wanted tobe able to answer included:-- Where were all these open proxieslocated? (Put another way, what ISPsseemed least competent when it came todealing with abused boxes?)

7

Questions I had...• -- How many open proxies were out there?

(I'd assumed that there were at most a fewhundred, or maybe a couple of thousand,but I was off by orders of magnitude)-- Which proxy blacklists worked best?-- I also wanted to test a theory I had thatwhen publicly identified, insecure proxiestended to get fixed, or crushed intounusability by massive worldwide demand.

• This talk is the result of my investigationinto open proxies and those topics.

8

"Is this talk relevant to me?"• Because this talk introduces a security topic

which hasn't been talked about at previousInternet2 meetings, you may wonder, "Isthis talk relevant to me?"

• I suppose that depends…

-- If you're an end user who's wondered howspammers anonymously shovel unsolicitedcommercial email at you, yes, it will berelevant.

9

"Is this talk relevant to me?" (2)• -- If you're a sysadmin attempting to

develop a strategy to cope with spam,attempting to understand an attack vectoryou may be confronting, or attempting tounderstand why it is important to secureyour own proxy, it's definitely relevant.

-- If you are an engineer responsible foryour network's security, it definitely willbe relevant.

10

"Is this talk relevant to me?" (3)• -- If you are a policy person, concerned with

acceptable use issues, privacy andanonymity issues, bandwidth managementpolicies, maintaining Internet2/non-Internet-2 network traffic separation, etc., it will berelevant.

-- The rest of you can hit the bar early. :-)

11

Talk format• Just as we've done for other Internet2 talks,

this presentation has been prepared withsufficient detail to allow for post hoc use asa tutorial, so that folks who may not be herecan still work through what was covered.

• We've attempted to keep the presentation atan intermediate level of technical detail,with "something for everyone." Some mayfind it to be more technical than they mightlike, others may find it rehashes what theyalready know in spots -- sorry about that.

12

What this talk is NOT about...• This talk is NOT about eliminating open

proxies as a way of facilitating censorship.• Nor is this a primer on "how to be a cracker/

hacker"; all the security issues mentioned arealready publicly known and well documented.

• Lastly, this talk is not meant to dictate how youshould run your network or how to configureyour servers -- that's a decision for you to makeafter considering the totality of all applicablecircumstances (but I do have some suggestions)

13

II. A Brief Tutorial onCaching Proxy Servers

14

What's a caching proxy server?Why would anyone run one?

• Caching web proxy servers are NOTintrinsically evil (malum in se).

• For instance, consider a computer lab beingused by a class. The instructor may say, "Okayclass, let's all look at the Smithsonian's website. Please go to http://www.si.edu/"

• The thirty or forty students in that class then(all more-or-less simultaneously) retrieve acopy of the Smithsonian's home page (and itsassociated images) over the Internet.

15

Redundancy Department,Department of

• Think about what just happened -- whyshould each person in that class retrievetheir own copy of the Smithsonian's webpage via the Internet? Why not just let thefirst person to ask for that page retrieve acopy over the Internet, saving and (locally)sharing that recent copy with other localusers who are also interested in that samepage? It turns out that that's precisely whatcaching web proxy servers actually do….

16

Bandwidth savings associatedwith doing web proxy caching...• It is common to see cache vendors claim

that a properly deployed cache can typicallyserve 1/3 to 1/2 of all end user page requestsfrom a local web cache, thereby reducingbandwidth usage by up to 25% or more.

• You can see some publicly available proxycache stat reports by searching google for calamaris "Proxy Report"(Calamaris is one of the more popular webproxy cache log parsers).

17

Some folks even use MRTG totrack cache hit ratios...

18

Improving the"Internet experience"

• Caching can also improve the user's"Internet experience," since documentretrievals "feels faster" (and largedocuments are delivered faster, consideringbandwidth-delay product issues) whenserved from a local, lightly loaded, properlyengineered cache box connected via gigabitethernet.

19

There are many web cachingproxy server products which

one could use...• Squid (free): http://www.squid-cache.org/• Blue Coat (formerly CacheFlow):

http://www.bluecoat.com/• NetApp: http://www.netapp.com/

products/netcache/• Volera: http://www.volera.com/• … and many others (including "big names"

like Cisco, IBM, Microsoft, Sun, etc.)

20

Do ISPs actually useweb proxy caching?

• You betcha. Not withstanding arguments fornetwork transparency (e.g., RFC 2775), andnot withstanding the ready availability ofcheap commodity transit bandwidth (and theimportance of non-proxy-enabled P2Papplications in determining ISP bandwidthusage), caching is still common at many largeISPs such as AOL, Comcast, Cox, RoadRunner, etc., as well as at large universities(e.g., http://www.cites.uiuc.edu/webcache/ )

21

Both ends of the spectrum...• One of the (many) ironies of web caching is

that web caches tend to be deployed by twocompletely dissimilar types of sites:a) huge ISPs (such as RBOCs, cable modemproviders, and large universities) offeringbroadband connectivity to 10s or 100s ofthousands of users, andb) small sites that are thinly connected tothe Internet (such as foreign sites payingoutrageous fees for connectivity).

22

Are all web pages cacheable?• It is comparatively easy to intentionally (or

accidentally) create non-cacheable pages:-- https (secure web pages), or pages protected with HTTP authentication-- pages with dynamic content (e.g., URLs including .cgi, .asp, a ? or a ; are often not cached), or pages using cookies-- pages explicitly marked as non-cacheable

• To check the cacheability of a given page, seehttp://www.ircache.net/cgi-bin/cacheability.py

23

CacheNow! webpages• One of the most influential pages

encouraging both cache deployment andcache-friendly web page design is theCacheNow! Site athttp://vancouver-webpages.com/CacheNow/

• So assuming an ISP wanted to deploy a webproxy cache, how might they do it?

24

Voluntary use of a web cache• There are three different ways an ISP or other

site could deploy & use a caching proxy:1) A site can offer a caching web proxy andallow users to manually configure theirbrowser to use it (or not use it) as theypersonally see fit. This approach assumes thatusers will be willing and able to manuallyconfigure their web browser's to use the proxyserver. [Doing that configuration isn't all thathard, but it isn't particularly intuitive, either,requiring entry of a host name & port number]

25

Manually configuring IE

26

Manually configuring Mozilla

27

ISPs "incenting" thevoluntary use of a web cache

• Why anyone would bother to use a non-mandatory web cache?

• At least some sites may offer "incentives" toencourage web cache use, such asexempting traffic flowing through thatcache from per-byte traffic charges,excluding traffic flowing through the cachefrom per-user traffic quotas, or excludingtraffic flowing through the cache box fromtraffic shaping rulesets (making it faster).

28

Examples of sites incentinguse of a proxy server

• http://rcn.oregonstate.edu/bandwidth_faq"Any traffic you use through the proxyserver does not count against your inboundtraffic limits."

• http://www.ucs.uwa.edu/web/info/access/netusage_faqs/traffic"If the item is already in the cache there isno charge."

29

Another approach: WPAD• 2) A site could also exploit WPAD (Web

Proxy Auto-Discovery Protocol) toauto-direct most browsers (including IE) to asuitable local web cache. This assumes:-- users have left "Automatically detectsettings" checked in their Internet ExplorerPreferences (see the "Manually configuringIE" slide earlier in this talk)-- your web cache has a suitable name (e.g.,wpad.<domain> (or WPAD info is beingpassed via DHCP at address assignment time)

30

Some WPAD references• -- (expired draft) http://www.wrec.org/

Drafts/draft-ietf-wrec-wpad-01.txt-- (expired draft) http://www.wrec.org/ Drafts/draft-cooper-webi-wpad-00.txt-- (03/1996) http://wp.netscape.com/eng/ mozilla/2.0/relnotes/demo/ proxy-live.html-- http://www.microsoft.com/windows2000/ en/datacenter/help/autodis.htm (see also the MS IE 5.X Resource Kit, Chapter 21)

31

Security sidebar: wpad.<domain>is a magic/important hostname• Because many web browsers automatically

look for wpad.<domain>, uh, some securityconscious folks might want to insure thatthat address is pointed at an, uh, trustworthyhost. Empirically checking 211 Internet2members to see if wpad.<domain> was infact defined, I found that only six domains(bradley.edu, brandeis.edu, orst.edu,swmed.edu, ucsd.edu, uoregon.edu) hadbothered to define wpad.<domain>. Hmm.

32

Another approach:transparent caching

• 3) A site can transparently ("passively")route all web traffic through a cache box,either by using Web Cache CommunicationProtocol (WCCP) on a router or layer 4ethernet switch, or by physically forcing alltraffic through an inline network gatewaydevice which includes proxy serverfunctionality.

33

Transparent cachingwith WCCP

• For more information on WCCP, see:-- http://www.cisco.com/warp/public/732/ Tech/switching/wccp/index.html

• An example of configuring a cache box usingWCCP is available at:-- http://www.cacheflow.com/support/ config/transparent/wccp.cfm

• Before considering using WCCP, see also:http://www.ciac.org/ciac/bulletins/i-054.shtml

34

III. Inline Proxy Servers Aren'tJust Cache Boxes Anymore

… they also include a corkscrew, ascrewdriver, a nail file, a can opener,a magnifying glass, a tiny pair of little

scissors, a toothpick….

35

Transparent caching usingan inline gateway device

• The primary alternative to steering trafficvia WCCP for inline transparent caching isforcing web traffic through a network"choke point" -- an inline gateway devicefunctioning as a proxy (the gateway devicemay also act as a web content filter/trafficmonitor, a firewall, anti-virus scanner, etc.)

• Customary downsides to single points offailure, and problems going really fastthrough an appliance, are hereby stipulated.

36

Despite single points of failureissues and capacity issues...

• … inline transparent cache boxes are stillquite popular because of all the additionalstuff that can be done in addition to theproxy server's basic caching functionality.

• Put another way, the availability of a singlecentralized possible point of control is just"too sweet" for many admins to forgo,which is why web content filtering softwareis perhaps the most common add-on....

37

Content filtering via aninline web proxy

• Some examples of web proxy filtering("censorware") products deployed via inlinetransparent proxy boxes include:-- Bess (http://www.n2h2.com/)-- BlueCoat (http://www.bluecoat.com/ solutions/content_filtering.html)-- SquidGuard (http://www.squidguard.org/)

• [A critique of the merits of "censorware" isavailable at http://censorware.net/ see alsohttp://www.sethf.com/anticensorware/ ]

38

Advertising content filtersdeployed via an inline proxy

• It is worth mentioning that besides the semi-controversial "censorware" productstargeting "objectionable"/"recreational" webcontent, there are proxy filtering productswhich target cruft such as ads, popups, anda host of other obnoxious advertising-related stuff. http://internet.junkbuster.com/and many others are listed athttp://dmoz.org/Computers/Software/Internet/Servers/Proxy/Filtering/Ad_Filters/

39

Anti-viral filtering via aninline web proxy server

• Sites may also combine web proxies withanti-viral filtering at a gateway box.

• Examples of products doing this sort ofthing include:-- Trend Micro's InterScan VirusWall-- McAfee WebShield-- Symantec AntiVirus GatewayBut hey, you're running desktop antivirussoftware, and SMTP executable attachmentdefanging with procmail already, right?

40

Proxy servers forprivacy enhancement

• Some people believe that proxy servers willgive them "enhanced privacy;" maybe... butdon't forget X-Forwarded-For: headers!

• Various browser anonymity checking websites will let you see what your browser isrevealing when you connect, including:http://www.all-nettools.com/pr.htmhttp://privacy.net/analyze/http://www.samair.ru/proxy/proxychecker/

41

If you really need privacy...• There are some companies that offer

privacy enhancement services via proxyservers such as allconfidential.com,primedius.com, anonymizer.com,freedom.net, guardster.com, etc.

• Curious? You can test drive an anonymizer:http://anon.free.anonymizer.com/http://cnn.com/

• Note: I'm not qualified to assess the quality ofthe privacy delivered by these or any otherservice, but there are analyses out there youshould see. For example...

42

http://cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf

43

Windows connection sharing• Some entities run Windows host-based

proxy servers as a way of sharing a singleInternet connection. Examples include:-- ICS (integrated in Windows itself…)-- AnalogX Proxy-- Avirt Spaghetti-- Deerfield WinGate-- Grok Developments NetProxy-- Ingetic Proxy+-- Kerio WinRoute Pro-- Youngzsoft CCProxy, etc., etc., etc.

44

Windows connectionsharing insecurity

• While some of those connection sharingproducts go to great pains to do that sharingsecurely, other Windows connection sharingproducts are quite "casual" about security.

• Many of the open proxies we'll talk aboutlater are actually associated with Windowsconnection sharing software installed bytechnically unsophisticated users who haveno idea just what they've done...

45

Reverse proxies• A final category of proxy server is the

reverse proxy server. Reverse proxy serversare commonly deployed to allow remoteusers to do username and passwordauthentication and gain access to domain-name- or ip-address-range-limited resourcessuch as proprietary online databases.Reverse proxies are commonly deployed byacademic libraries; a better alternative is todeploy a VPN offering authentication andencryption.

46

A typical academic libraryreverse proxy server

47

IV. Open Proxies

48

From benign to...• Now that you understand a little about how

proxy servers are supposed to work, let'sbuckle down and talk about the true subjectof this talk: open proxies.

49

What is an "open proxy?"• An open proxy is a computer that accepts

connections from anyone, anywhere, andforwards the traffic from those connectionsas if it had originated locally from that host.

• In some cases, the proxied connection mayonly allow access to the world wide web, butin many cases the open proxy may also beused to ftp files, read and post Usenet news,send email (including spam), do IRC orinstant messaging, launch a DOS attack, etc.

50

Open proxies are NOT thesame as open SMTP relays

• Folks sometimes confuse open SMTP relays(which most folks now have pretty wellunder control) with open proxy servers.

• Open proxies are NOT the same as openSMTP relays -- open proxies are a far, farmore serious problem, since they allowtraffic for virtually ANY network serviceto be "bounced through" that host (althoughopen proxies can and do also act as spamconduits).

51

Open proxies have been thesubject of security bulletins...

52

And excellentnarrative discussions...

53

So how does a proxy serverbecome open and abusable?

• A proxy server becomes open due to:-- misconfiguration/lack of configuration bythe administrator (e.g., a proxy server mayship "open by default," and access controllists may never be installed, or if they areinstalled, they may have been mis-set)-- inherent protocol/app deficiencies-- a conscious decision on the part of theparty installing the proxy to run it open(0wned boxes, political motivations, etc.)

54

Example of shipping"open by default"

55

Trojan'd proxy servers• Other users may be running a proxy server

which was installed by a hacker/cracker viaa trojan horse

• Canonical example: jeem.mail.pvJeem creates an open SMTP relay plus twoopen proxy ports on odd high numberedports. See, for example:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html

• As the pool of "regular" open proxies getsecured, we'll all see more Jeem'd machines...

56

V. Why Are Open Proxies ofInterest to "Bad Guys"?

57

Are bad guys reallyinterested in open proxies?

• Yes!• I believe open proxies are of exceptional

interest to various and sundry "bad guys"for many reasons.

• To understand why, it helps to think aboutthings from their point of view for a bit...

58

(a) "I don't want folks to knowwhere I'm really coming from"• Connections made via an open proxy are

often non-accountable, since the proxy maybe doing no logging, or if logging is beingdone, logs may be unavailable to thoseinvestigating network incidents.

59

What if proxy server logfiles might be available?

• In the case of bad guys who are exploitingproxy servers with the goal of trying to"cover their tracks," proxy server logs files*might* sometimes be obtainable. Theaccepted "bad guy solution" to that problemis to simply chain multiple proxy serverstogether, either manually or using a productsuch as http://proxychains.sourceforge.net/

• Doing explicit traffic routing via multipleindirect hops is not really a brand new idea...

60

Remember "blueboxes"?• In 1971, (a long, long time ago by Internet

standards), a popular activity with some"telephone hobbyists" was something called"tandem stacking." Someone engaged intandem stacking might use a special deviceto chain a phone call from one central officeswitch to another, with the most audaciousstriving to build a path which would route asimple intra-city call thru switches spanningthe globe. (Esquire, 10/1971)

61

Flash forward to 2003...• Thirty two years later, people are still

routing traffic in unexpected ways -- butnow the oddly routed traffic is networkdata traffic, not voice telephony traffic.

• For example, any technically inclinedperson will have wondered, "Why am Igetting spammed (or why is my firewallgetting probed) from odd places in Asia,Africa, and South America?"

• Concise answers: open proxies (of course).

62

(b) "I want to attack you frommany odd locations at once!"

• Open proxies allow a single entity to launchattacks/send traffic from multiple provider-diverse sources at the same time, therebycomplicating the problem of blocking spamor firewalling an attack. Dealing withmultiple parallel (potentially changing)attack sources is one of several reasons whydistributed denial of service network attacksare potentially so tough to deal with.

63

(c) "I want to try misleadingnaïve users by forging random

garbage into mail headers!"• Unlike spam sent via an open SMTP relay,

spam sent via an open proxy server can beconstructed so as to have arbitraryReceived: headers, thereby inhibiting effortsat backtracking spam to its source.

64

"Falsification of routing data"• It is interesting that many of the latest

generation of state anti-spam laws (seehttp://spamlaws.com/ ) prohibit spammer"falsification of message routing data"

• Use of open proxies is pretty much thebest/only "message routing falsification"trick spammers have available once you getusers to the "could you please turn on fullheaders?" level of spam analysis/reporting( http://micro.uoregon.edu/fullheaders/ )

65

(d) "How dare youtry to censor me!"

• By using an open proxy server, a user maybe able to overcome local connectionfiltering. For example, if your local networkdisallows connections to recreational websites, but allows you to connect to an openproxy, you can access a recreational website of interest by connecting to it indirectly,via the open proxy. Open proxy servers arethus particularly popular with subjects oftotalitarian regimes, and K12 students.

66

For example: filtering in CN...

67

And it is clear the Chinese areaware of open proxy servers

68

"Triangleboy"

69

(e) "Ack! They're blockingcommon P2P ports…"

• While there is substantial interest amongusers in accessing web content via proxies,and spammers certainly like to use proxiesto send email, administrators may notrecognize that even non-proxified peer-to-peer applications such as Kazaa, Edonkey,Grokster, Morpheus, etc. can also use proxyservers via 3rd party proxy tunnellingapplications such as ProxyCap( http://proxylabs.netwu.com/proxycap/ )

70

"My ISP is blocking outboundtraffic sent direct to port 25…"• Some bad guys may also be interested in

open proxy servers as a way of getting pastprovider-installed filters on any outboundSMTP traffic which isn't being sent via theprovider's designated SMTP servers.

• Providers who filter outbound port 25 trafficshould also be smart enough to filtercommon proxy server ports, but maybe not.

71

(f) "Hey, *I know* how we canget access to Internet2…"

• Particularly relevant to this audience, youshould note that open proxy servers runningat Internet2-connected sites may grantaccess to resources which might otherwisenot be available, such as network access toAbilene, or network access to a federalgovernment high performance missionnetwork such as DREN, ESNet, NISN, etc.

72

(g) "Limited just to their site?Nah, it's open to the world…"

• More than just access to high performancenetworks is at risk from open proxies. Otherassets which are vulnerable to the existenceof local open proxies include:-- Usenet News servers-- site-licensed software distribution servers, and-- online proprietary databases.

• For example...

73

JSTOR and open proxies

74

(h) "I know a way we can getall sorts of traffic to sniff…"

• Open proxy servers may (or may not) offeryou some level of privacy -- a proxy servermay be logging nothing about a transactionthat occurs via it, or, on the other hand, theproxy server may be undetectably sniffingevery character that passes through it (andthe origin of those transmissions), snaggingunencrypted usernames and passwords, orother confidential info....

75

HttpSniffer

76

(i) "I'm not making enough onclickthroughs right now…"

• Open proxies may also be exploited bythose who are trying to artificially generateinflated "hits" on revenue-generating website links. (Pay-per-hit revenue programstypically limit payments made on a per-unique-address basis, so to artificiallyinflate pay-per-hit revenues, you need lotsof addresses from which to generate "hits")http://www.securiteam.com/securitynews/6M00B2A0KQ.html

77

(j) "Do you reallysuppose we could…"

• And of course, open proxy servers allowbored people to try random networkexperiments such as routing web trafficfrom a local workstation to a local servervia a chain of proxies spanning the world,just like blueboxers from the early 1970's.

• I'm just waiting for network researchers tostart exploiting open proxies as volunteerendpoints for measurement projects. :-;

78

VI. Open Proxies (From thePoint of View of the Intended

Users of That Proxy)

"I don't like this place at allMakes me wonder what I'm here forSomeone take this pain away…"

Yet Another Day (Riva Remix),from Touched (George Acosta)

79

Problems associated withhosting an open proxy

• In addition to being a "public nuisance" or asecurity risk to the Internet at large for allthe reasons outlined above, open proxyservers really do a disservice to "innocentparties" who sit behind them, too.

80

(a) Firewall? What firewall?

• Open proxy servers may serve as a conduitfor inbound attacks, completely bypassing asite's firewall architecture.

81

This has happened tosome prominent sites….

82

(b) Sharing your pipe with a100,000 of your closest friends

• Because anyone, anywhere, can freelyaccess the Internet from an open proxyserver, unauthorized users will oftencompletely saturate the bandwidth availableto that server. This typically results inextremely poor performance for the proxyserver's intended users (often folks locatedin remote parts of the world wherebandwidth is scarce or expensive).

83

Hey, its only money...• ISPs hosting lots of open proxies also tend

to need bigger routers and more commoditytransit bandwidth than normal since theiropen proxy-running customers will berunning at unusually high network trafficlevels.

• I guess open-proxy-friendly Internet serviceproviders must just love to buy bandwidth(or maybe this is an intentional attempt tolook busy enough to justify settlement-freepeering? Yeah, that's it, that must be it…)

84

(c) Warrants, subpoenas,and writs, oh my!

• If you host open proxy servers, you shouldnot be surprised if you see a steady streamof warrants, subpoenas and writs seekingcustomer information, copies of servercontents (or the servers themselves).

• I would assert that it is better to buynetwork engineers and/or security staff todeal with open proxies rather than lawyersto deal with warrants, but each to their own.

85

(d) Open proxies may attractprobes for other vulnerabilities• Hosting persistently open proxies may

result in an increased risk of that host (andits network) getting scanned for othervulnerabilities, presumably becausepersistent open proxies serves as anindicator that no one cares/no one is payingattention. This is much like the associationbetween graffiti and crime rates in decayingurban areas. [Customers of some RBOCsmust be seeing incredible levels of scans…]

86

(e) Anti-open proxy DNSBLsmay block legitimate users

• As open proxy servers become identifiedand added to open proxy blacklists,legitimate users of those proxy servers maysuddenly find that they are blocked byDNSBLs from accessing Internet resources(such as IRC servers) because they areconnecting from an open proxy server.

87

Example of an IRC networkblocking open proxies

88

"Compared to the locusts, thefrogs weren't really that bad"

• While having an open proxy DNSBL lista particular /32 can be admittedlyinconvenient if you are a user of that openproxy server, it is far LESS inconvenientthan having your entire country blocked!

• Yes, there ARE country-wide blacklists inuse by people who are completely fed upwith spam from some parts of the world thatjust don't seem to care about network abuse.(I discourage use of country-wide DNSBLs)

89

Some examples ofcountry-wide blacklists

• http://www.blackholes.us/ (DNSBLs fornetwork blocks assigned to ISPs in AR, BR,CN, HK, JP, KR, MY, NG, RU, SG, TW,TH; also has blackhole DNSBLs for selectedlarge US/international ISPs)

• http://www.okean.com/asianspamblocks.html• See also: "Not All Asian E-Mail is Spam"

(http://www.wired.com/news/politics/0,1283,50455,00.html )

90

(f) "Semi-innocent" local usersmay get targeted by inept

local bandwidth witch hunts• When connections get saturated and local

performance becomes awful, rather thansuspecting that users from all over the worldare connecting to an open proxy andgobbling up bandwidth, many folks will justsay "AHAH! Someone is <fill in relativelytrivial unacceptable local network behaviorhere>…" with predictable results: a localinquisition and bandwidth crackdown.

91

(g) More joy of open proxies:getting LOTS of complaints

• The parties of record responsible for yournetwork will get LOTS of complaints fromangry users who've gotten spammed orotherwise abused via a local open proxy.Parties who will get complaints includewhois-listed contacts for your domain andyour network address block, your postmaster and security staff, (c) management,etc. If left undealt with, complaint volumecan cause a abuse response "death spiral."

92

Okay, so having an open proxyreally isn't that much fun...

• 100% correct. Having an open proxy serverreally can be miserable.

What's amazing to us is that despite thesubstantial pain associated with hosting anopen proxy server, and the fact that an openproxy server can exist only if BOTH thesystem owner/sysadmin AND their ISPdon't take steps to deal with the problem,there are LOTS of open proxies out there.

93

VII. How Many OpenProxies Are Out There?

100

1000

10000

100000

10/3/

2002

10/10

/2002

10/17

/2002

10/24

/2002

10/31

/2002

11/7/

2002

11/14

/2002

11/21

/2002

11/28

/2002

12/5/

2002

12/12

/2002

12/19

/2002

12/26

/2002

1/2/20

031/9

/2003

1/16/2

003

1/23/2

003

1/30/2

003

2/6/20

032/1

3/200

32/2

0/200

32/2

7/200

33/6

/2003

3/13/2

003

3/20/2

003

3/27/2

003

4/3/20

03

94

A serious epidemic, or oneperson with sniffles?

• The severity of the open proxy problem,like many problems, is largely a function ofits size.

• Obviously, if there are only a few hundredopen proxies, the problem is a different onethan if there are thousands or tens ofthousands of open proxies.

95

Bounding the immeasurable• No one can authoritatively tell you the total

number of open proxies in existence on theInternet today -- that number is constantlychanging, and is fundamentally unknowablewithout systematically probing all possibleproxy server ports on all possible addresses.

• Put another way, while we may know howmany we've seen so far, we don't know (yet)how many more open proxies are stilllurking out there undetected, ripe for abuse.

96

Working toward a number...• There are, however, some ways we can work

towards an estimate of the number of openproxies.

• For example, the reported size of somepublicly available open proxy lists tends torun in the tens of thousands to hundreds ofthousands of unique addresses.

• Obviously, just from that indicator alone, weknow we're talking about an epidemic, notone person with a head cold.

97

Or we could look at the rate ofdiscovery of new open proxies

• Let's assume spammers are aggressivelylooking for new open proxies. As theybegin to have problems finding new one,the number of newly abused open proxieswe see per day should decrease, and ourestimate of the true number of open proxiesshould begin to asymptotically approach thetrue number of open proxies. Unfortunately,we're nowhere near asymptotic yet...

98

Average new open proxy hosts/dayMarch 2003 through early April 2003

-2000

0

2000

4000

6000

8000

10000

12000

14000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Successive measurement periods

Spikes at or above the2000/hosts/day rangereflect inclusion of datafrom other public open proxy listings

99

One (possible) positive sign...• We have noted one positive sign: the

number of open proxy hosts listed byBlitzed has actually begun to decline:

100

VIII. Sorting the Sheepfrom the Goats

101

How do we know if a hostis an open proxy server?

• There are five main ways whereby you candetermine if a particular IP address is nowor has formerly been an open proxy server:-- you can check http://openrbl.org/-- you can query open proxy DNS blacklists-- you can use a fully functional open proxy tester such as http://hatcheck.org/proxy-- you can scan the dotted quad in question for common open proxy ports, or-- we may be able to watch MRTG graphs.

102

http://openrbl.org/

103

About OpenRBL• OpenRBL is a very convenient way for a

naïve user to query a comparatively smallnumber of hosts, but it really isn't designedfor bulk queries:-- it is relatively slow-- it permits a limited number of queries/day-- it has anti-scripting features built-in

• If you're doing many queries, you'llprobably want to do those queries directly.

104

Querying DNS blacklists

105

Understanding DNSBLs• While domain name servers normally are

simply used to translate domain names tonumeric IP addresses, DNS servers can alsobe used as an efficient way to convey otherinfo (usually in the form of a "coded"network address from the 127.0.0.0 block),such as whether a network address is knownto be an open proxy server. For reasonsrelating to maintenance of the DNSBLlistings, DNSBLs usually use reversed IPs.

106

Understanding DNSBLs (2)• For example, if you wanted to query the

fictitious DNSBL zone badhost.foo.bar tosee if 123.45.6.78 was listed, you'd use hostor nslookup or dig to check to see if78.6.45.123.badhost.foo.bar was defined.

• Note that DNSBL's are "opaque" -- unlessthe operator chooses to make a copy of thatzone publicly available (e.g., via zonetransfers), one can only tell if an entry isdefined by explicitly checking that address.

107

Some notes on DNS blacklists• Some things to note when querying DNS

blacklists:(1) Open proxies exist which aren't in anyblacklists (duh); conversely some listeddotted quads may no longer be open proxies(2) Some DNSBLs list open proxies ANDopen relays AND spam-tolerant hosts ANDvirus-infested hosts AND … pay closeattention to the addresses each DNSBLreturns if you only care about open proxies.

108

Some notes on DNS blacklists (2)• (3) Some DNSBLs may have restrictive

legalistic terms and conditions that aretrivial to accidentally violate. I would urgeyou to respect those terms and conditions,and simply avoid DNSBLs with restrictiveT&C's -- there are others w/o tight T&C's.(4) Because DNSBLs are remote databasesdelivered via DNS, recognize that DNSqueries *may* sometimes fail (e.g., if allservers delivering DNSBL 'foo' are offline).

109

Some notes on DNS blacklists (3)• (5) If you do lots of DNSBL queries, your

local name server infrastructure maysuddenly become even more important thannormal to you, and may need watching toavoid performance issues.

• [Note to self: time for DNS serverbenchmarking work?]

• [Second note to self: after looking at openproxies problem, is it time to look at theissue of open recursive DNS servers?]

110

Some notes on DNS blacklists (4)• (6) It is (sort of) trivial to automate the DNS

queries using shell scripts/small programs.

Note from the trenches: forget aboutassuming it will be feasible for someone tomanually deal with open proxies -- youreally MUST automate this process due tothe transaction volume. Also note that youare (potentially) talking about a LOT ofDNS queries, so automate intelligently.

111

And of course...• If you decide to automatically block email

traffic from open proxies, you WILL end upusing a DNSBL since that's basically theonly scalable approach. :-)

• Some nice introductions to using DNSBL'swith sendmail is available athttp://mail-abuse.org/rbl/usage.html

112

http://hatcheck.org/proxy

113

Sometimes black is white(or grey, or red, or …)

• Note this example used the same dotted quad,tested the same day as the DNSBL tests

• It can be disturbing to find that doing a fullyfunctional test of a dotted quad listed in aDNSBL sometimes doesn't result inconsistent results...

• Surely, in an ideal world, DNSBLs and activeopen proxy testers would concur in calling ahost an open proxy (or not an open proxy) --but we don't live in an ideal world.

114

Sources of inconsistency• Some possible sources of inconsistency

between DNSBL's and proxy testers include1) a formerly open proxy may truly nolonger be open, but no one has gotten thatdotted quad delisted from all the variousDNSBLs out there right now.2) the open proxy may still be open, butmay only be intermittently available (e.g.,an open proxy running on a desktop that isonly powered up 8-5 local time).

115

Sources of inconsistency (2)• 3) The fully functional open proxy tester

may be getting firewalled by the open proxyoperator, their Internet service provider, ortheir ISP's upstream provider, even thoughthe open proxy itself may still availablefrom other locations on the Internet.4) The open proxy may be running on anuncommon port, or may be periodicallychanging the port(s) it is using to hinderdetection (or to evade upstream filtering ofcommon open proxy ports by the ISP).

116

Sources of inconsistency (3)• 5) The open proxy may only be open for a

limited range of services (e.g., webbrowsing, but not SMTP traffictransmission, for example), and the proxytester might be checking the proxy only forsome service it doesn't offer (like SMTP).6) The open proxy server may have beenrunning on a dynamically allocated address,and its lease may have expired (allowingthat address to be recycled for use by someother innocent/secure host).

117

Sources of inconsistency (4)• 7) An actively abused open proxy server

may be completely saturated, resulting inTCP timeouts or other odd errors.8) Proxy servers may accept incomingconnections on one address and createoutgoing connections on a completelydifferent address. Testing an output("apparent source") interface rather than aninput interface may result in incorrectinferences being made.

118

Sources of inconsistency (5)• 9) The putative open proxy may NEVER

have been truly open, although it may haveexhibited suspicious behaviors (e.g., it mayhave open ports on numbers stronglyassociated with open proxies, e.g., 1080 or6588, etc.), or a host may have beenmaliciously nominated as an act ofretribution (a so-called "Joe-job"), etc.[Most DNSBL's require evidence andvalidate user submissions, but there areexceptions; know your BL's listing criteria!]

119

Scanning via NMAP orspecialized proxy hunting tools

• Administrators may use a general purposescanning tool such as NMAP(http://www.insecure.org/nmap/ ) to scantheir own hosts or own networks to identifypotential open proxies; there are alsospecialized proxy detection and analysistools in widespread circulation such asProxy Hunter, Proxy Sniper, etc. (see:http://www.proxys4all.com/tools.shtml )

120

And speaking of scanning...• Scanning someone else's host(s) or someone

else's network(s) without their permissionmay be/is unlawful (at least in some states)and is not recommended (although weempirically know it is a common practice).

• The open proxy delisting paradox: "If onebelieves a host to be an open proxy, how isone to learn that that host is no longer anopen proxy if the owner doesn't know ofyour belief and active scans are unlawful?"

121

Common proxy ports• If you are scaning for proxies, it is helpful to

know the ports to watch for, although ofcourse any server (including an open proxyserver) can be bound to any arbitrary TCP/IPport. Some proxies may be running on wellknown ports such as 80 (http) or 443 (https):-- SOCKS 4/5: 1080-- HTTP: 3128, 8080, 6588, 80, 81, 4480-- Wingate: 23-- Peekabooty/Triangleboy/etc.: 443

122

To manually test aconnect mode open proxy

• Telnet to the open proxy port then enter:

CONNECT foo.bar.baz:25 HTTP/1.0<return><return>

If you see 200 Connected you know thatyou've found an open proxy that's willing tochannel SMTP traffic to server foo.bar.baz

123

MRTG as an openproxy spotting tool

• Yet another way of spotting a possible openproxy server is by watching traffic graphsfor individual switch ports where outgoingtraffic closely mirrors incoming traffic. Thistechnique is mentioned (and nicelyillustrated) at:http://www.rsc-london.ac.uk/technical/network/monitoring/ (see the "spottingopen proxy servers" section)

124

Or you can just wait for thecomplaints to pour in...

• The final way to identify open proxies onyour own network is to do nothing, andsimply wait for the complaints to comepouring in.

• At a minimum EVERY DOMAIN shouldhave a monitored abuse@<domain>address! See RFC 2142 at section 4!

• http://www.abuse.net/http://www.rfc-ignorant.org/

125

IX. Our Open Proxy List

126

The use-it-and-lose-it paradox• One of the most delightful things about

spammers using open proxies is that when aspammer sends spam through an openproxy, that act advertises the existence ofthat open proxy, facilitating its closure.

• Thus, when we'd see a "hit" against one ormore of the open proxy DNS blacklists, ornotice a new open proxy spamming usdirectly, we'd add an entry for that host to:http://darkwing.uoregon.edu/~joe/open-proxies-used-to-send-spam.html

127

Tracking open proxies• We began doing that in September 2002,

systematically looking at all IP addressesassociated with spam which slipped throughour filters and which were reported to us,as well as at the IP addresses of all mailwhich had been rejected by filtering rulesetsrunning on our shared systems. [You couldjust scrutinize ALL SMTP relay addressesseen in your logs, but you'll waste a lot oftime and do a lot of pointless queries.]

128

You won't notice open proxies ifyou're drowning in other spam...• If you're interested in identifying open

proxies by tracking their appearance inspam, as we were, the first step is to carveoff all the other sources of spam, e.g.:-- direct-from-dialup spam-- spam sent via open SMTP relays-- spam sent via vulnerable formmail cgi's-- spam sent from so-called "bulletproof" dedicated spamhouses

129

Blocking most non-proxy spamsources via DNSBLs

• While there are many ways of blocking thespam from those other sources, onecombination that works fairly well is themail-abuse.org RBL+ (not free, but quiteaffordable in zone transfer mode foruniversities), plus the free SBL fromspamhaus.org. That combo will kill mostspam not coming in from open proxies(although you may still need somesupplemental local blocks).

130

Add an open proxy DNSBL• After you've blocked those other spam

sources, most of what's left will be spamfrom open proxies.

• You can either let that spam come in, waitfor it to get reported, and then manuallysnag the relevant IP address from eachspam's headers, or you can add one or moreopen proxy DNSBLs. If you add an openproxy DNSBL, you can then snag theaddresses of potential open proxies (alongwith other spam sources) from your logs.

131

Pointers to some popularopen proxy DNSBLs

• Blitzed: http://www.blitzed.org/bopm/• Osirusoft:

http://relays.osirusoft.com/faq.html• SORBS:

http://www.dnsbl.sorbs.net/using.html• Wirehub:

http://basic.wirehub.nl/blackholes.html• NJABL: http://njabl.org/• … and there are others.

132

Format of the open proxy list

• There are currently ~100K entries in a formatthat looks like:[snip]200.149.218.155 (02/25/2003) [PE218155.user.veloxzone.com.br] --OSW200.149.218.156 (03/09/2003) [PE218156.user.veloxzone.com.br] -----N200.149.218.161 (02/19/2003) [PE218161.user.veloxzone.com.br] B--SW200.149.218.164 (03/20/2003) [PE218164.user.veloxzone.com.br] --OSWN200.149.218.173 (12/22/2002) [PE218173.user.veloxzone.com.br] --OS200.149.218.177 (02/25/2003) [PE218177.user.veloxzone.com.br] B-O-W200.149.218.180 (04/03/2003) [PE218180.user.veloxzone.com.br] ---SW-200.149.218.187 (02/27/2003) [PE218187.user.veloxzone.com.br] ----W200.149.218.188 (02/19/2003) [PE218188.user.veloxzone.com.br] B-O-W200.149.218.206 (03/20/2003) [PE218206.user.veloxzone.com.br] ---SW-200.149.218.208 (01/23/2003) [PE218208.user.veloxzone.com.br] B--SW200.149.218.229 (03/09/2003) [PE218229.user.veloxzone.com.br] ---SWN200.149.218.238 (03/20/2003) [PE218238.user.veloxzone.com.br] ---SW-200.149.218.245 (03/20/2003) [PE218245.user.veloxzone.com.br] ---SW-200.149.219.15 (01/10/2003) [PE219015.user.veloxzone.com.br] open on 1080 and 3128200.149.219.37 (03/20/2003) [PE219037.user.veloxzone.com.br] ---SW-200.149.219.41 (04/03/2003) [PE219041.user.veloxzone.com.br] ---SWN[snip]

133

Format of the open proxy list (2)• The entries are maintained in numeric order

by dotted quad, one entry per line.• Each line shows the dotted quad in

question, the date DNSBLs were checkedfor that address, the hostname associatedwith the dotted quad (or "no reverse DNS"if applicable), and a mask showing whichopen proxy DNSBLs listed the address atthe time it was checked/listed (and possiblyinformation about the ports the proxy used)

134

Coding of DNSBL proxy entries• The three to six character mask at the end of

each entry is encoded using the scheme:

B opm.blitzed.org- [used to show a now-omitted DNSBL]O relays.osirusoft.com (127.0.0.9)S dnsbl.sorbs.net (127.0.0.2,

127.0.0.3, and 127.0.0.4)W proxies.blackholes.wirehub.netN dnsbl.njabl.org (127.0.0.9)

• When a host isn't listed on a given DNSBL, adash is entered as a placeholder

135

"Wait a minute! By publishingthat kind of list, you're just

making the problem worse!"• No. There are already plenty of open proxy

lists in existence, and those lists routinelyinclude information (such as port numbers)that amateur/bulk proxy abusers need. Mylist only includes port numbers in limitedcircumstances (for example, when I'mdocumenting a proxy that isn't otherwiselisted on a DNSBL we use, or I'vepersonally received spam via that proxy).

136

Hardcore proxy abusers don't usehosts from public lists...

• Known open proxies tend to be saturatedand slow, so professional open proxyabusers tend to scan for their own "fresh"proxies, buy private lists of open proxiesfrom proxy scanning specialists, or tradeopen proxies among themselves. (For somesense of that activity, albeit on a hobbyist/casual scale, search for proxy or proxies ingroups.yahoo.com or groups.msn.com)

137

Don't shoot the messenger• The first step to fixing any problem is

dragging it out from the shadows into thelight of day. If you refuse to talk about aproblem, it will never get fixed. The openproxy problem NEEDS to get fixed.

• Unless you can document and detail aproblem, many ISPs are unwilling to takeaction to fix that problem.

• People need to see the full extent of theproblem to appreciate the need for largescale corrective action.

138

Besides...• Anyone who gets spammed and has access

to sendmail logs, web server logs, firewalllogs, etc. could build a similar list; I'm notdoing something magic here…

• On the other hand, we do know that our listgets retrieved LOTS of times every day,sometimes via open proxies (which wedutifully add to the list). :-)

139

What domains are seenon the open proxy list?

• 27.3% no reverse DNS 5.2% telesp.net.br 3.4% prodigy.net.mx 3.3% veloxzone.com.br 2.6% rr.com 2.6% wanadoo.fr 2.1% interbusiness.it 2.0% dsl-verizon.net 1.8% telecom.net.ar 1.7% hinet.net 1.6% pacbell.net 1.5% attbi.com 1.4% swbell.net

140

What domains are seenon the open proxy list? (2)

• 1.0% ameritech.net1.0% skynet.be0.9% comcast.net0.9% btopenworld.com0.8% rima-tde.net0.8% bellsouth.net0.8% speedyterra.com.br0.8% brasiltelecom.net.br0.8% ntl.com0.7% tpnet.pl0.6% advancedsl.com.ar0.6% virtua.com.br0.6% rogers.com

141

What domains are seenon the open proxy list? (3)

• 0.5% shawcable.net0.5% ttd.es0.5% sympatico.ca0.5% prima.net.ar0.5% bigpond.net.au0.4% charter.com0.4% adelphia.com0.4% t-net.net.ve0.4% t-dialin.net0.4% chello.nl0.3% videotron.ca0.3% brdterra.com.br0.3% terra.com.br

142

What domains are seenon the open proxy list? (4)

• 0.3% cox.net0.3% telepar.net.br0.3% speedy.com.ar0.3% vtr.net0.3% wanadoo.net0.3% tele.dk0.3% a2000.nl0.3% optonline.net0.3% papalegua.com.br0.3% bezeqint.net0.2% blueyonder.co.uk0.2% verizon.net

143

What domains are seenon the open proxy list? (5)

• 0.2% infoweb.ne.jp0.2% ono.com0.2% surfer.at0.2% ethome.net.tw0.2% telekom.at0.2% telus.net0.2% proxad.net0.2% hispeed.ch0.2% att.net0.2% planet.nl0.2% arcor-ip.net0.2% hansenet.de0.2% axelero.hu

144

What domains are seenon the open proxy list? (6)

• 0.2% Ajato.com.br0.2% uswest.net0.2% mindspring.com0.2% fibertel.com.ar0.2% hkcable.com.hk0.2% charter-stl.com[all others contributed less than 0.2%]

145

The no reverse DNS folks• The same people who can't securely configure

their proxies obviously also don't give a damnabout inaddr's. :-)

• In some cases, the lack of reverse DNS maybe due to domain names not being "relevant"(e.g., at sites that use non-roman languages),but other ISPs may intentionally not provide areverse address in an effort to reduce thenumber of complaints they receive... That'sokay, we 'll soon be mapping those dottedquads to responsible parties via other means.

146

Too big to block?• If you meditate on the country code

distribution shown in that list, you can seewhy some use country-wide blocks, even ifthey do inflict lots of collateral damage.

• There are some folks on that list who should(and do) know better than to ignore openproxies on their network. They may haveapparently come to believe "we're too big toget blocked," or "we don't want to cut offany paying customer, even if they areinsecure -- we'll just ignore the complaints."

147

Fast connections (except fromhigher education) are beloved

• Clearly, there is an association betweenconnection speed and open proxy presence;fast connections are more likely to be tryingto do connection sharing, and because thoseconnections are fast, they tend to beattractive to abusers.

• For the most part, higher education sites doNOT tend to show up much, which isexcellent news (and contrary to somecommonly articulated popular perceptions).

148

And yes, some open proxieshave been listed "forever"

• It is absolutely true that there are someproxies on the list that have been listed for aREALLY long time, e.g., since October2002 in some cases. What can I say? Somepeople simply may not care if they have anopen proxy; in other cases, the proxies maybe secured, but the system owner may notknow how to get off a DNSBL we use, ormay not care to bother.

149

If a host is already on the list...• If you do keep a local list like ours, it is

easy to forget (as you process your logs,looking for new open proxies to add), thatyou can skip any address you've already gotlisted -- you don't need to requery all theopen proxy blacklists if you've got thataddress already locally listed. Grep yourlocal list first! [duh]

150

Taking entries off the list• Periodically we recheck the blacklists for all the

entries on our list and remove the dotted quadsthat are no longer listed on any of the five used.

• Retesting can become, um, tricky, when you'retalking about doing half a million queries(~100K hosts X 5 DNSBLs).

• It currently takes roughly half a day to dohalf a million retests… yes, we could make therechecks faster/more aggressive, but we need|to be careful of our impact on DNS servers...

151

Effect of adding anddeleting DNSBLs

• During the time we've been maintaining thislist, we've added and deleted a number ofDNSBLs from coverage, and have done off-list testing of some additional DNSBLs(some of which we have elected to not add)

• When DNSBLs are added or deleted, youmay see a noticeable jump or drop in thenumber of entries listed; this is not a sign ofdata problems. (see the graph on slide 93)

152

IX. "What Can I Do?"

153

Chip in...• The most important step, if you see spam

from an open proxy that isn't already listedat sites such as OpenRBL, is to report it.Open proxy DNSBL's develop bettercoverage and work better for all of us asmore people use and contribute to them.

• One of the best ways to report spam youmay receive is via http://spamcop.net/

• Be sure to also train your end users how toreport spam they may receive!

154

Make sure you aren'tpart of the problem...

• If you run a proxy server, review yourconfig and your log files for problems.

• If you are responsible for your campus'network, make sure it isn't infested withopen proxy servers.

• Review your acceptable use policy to insurethat you've disallowed open proxy servers,either by name, or via general prohibitionson "unauthorized resource sharing"

• Make sure you've got an abuse@ address

155

Protect your own mail servers• Use an open proxy DNSBL to protect your

own mail servers, just as you may alreadyreject mail from open SMTP relays.Blocking traffic from open proxies is abasic step that a growing number of majorISPs are already doing. For example:-- http://postmaster.info.aol.com/ops.html-- http://security.rr.com/mail_blocks.htm-- http://help.yahoo.com/help/us/mail/defer/ defer-02.html

156

Which open proxyDNSBL should you use?

• Picking a DNSBL to use in production (e.g.,to protect a mail server) involves evaluatinga variety of different factors, including:-- what's the maintainer's reputation?-- does the DNSBL catch the open proxies you're seeing? (how inclusive is it?)-- does the DNSBL remove open proxies when they are no longer open? (and does it do so automatically? upon request? or?)-- is the DNSBL fast? reliably available?

157

Some of those factors arehard to evaluate objectively...

• … but it is easy to evaluate "coverage" or"inclusivity". Looking just at what'scurrently being "caught," the currentranking looks like:

Sorbs: 98.1%Wirehub: 90.1%NJABL: 47.1%Blitzed: 19.0%Osirusoft: 14.0%

158

If you want to usejust one DNSBL...

• We'd suggest picking either Sorbs orWirehub (they tend to be fairly congruent) :DNSBL COVERAGE PATTERNS WHICH INCLUDE BOTH SORBS AND WIREHUB:

34135 36.7% ---SW-20871 22.4% ---SWN 8954 9.6% B--SWN 5191 5.6% --OSW- 3067 3.3% B--SW- 2410 2.6% --OSWN 2233 2.4% B-OSWN 692 0.7% B-OSW-

• But what should you pick if you wanted touse a second complementary DNSBL?

159

A second DNSBL...• If you decided to pick Wirehub as a first

DNSBL, a good 2nd choice might be Sorbsor NJABL. If you added Sorbs to Wirehub: 5097 5.5% ---S-- 1183 1.3% ---S-N 684 0.7% --OS-- 468 0.5% ----W- 216 0.2% B--S-N 198 0.2% B--S-- 121 0.1% --OS-N (no remaining pattern with >100 hits)

If you added NJABL to Wirehub: 4232 4.5% -----N 1183 1.3% ---S-N 468 0.5% ----W- 446 0.5% B----N 216 0.2% B--S-N 121 0.1% --OS-N

160

A second DNSBL... (2)• If you decided to pick SORBS as your first

DNSBL, a good 2nd choice might be NJABL:5097 5.5% ---S--4232 4.5% -----N1183 1.3% ---S-N684 0.7% --OS--446 0.5% B----N216 0.2% B--S-N198 0.2% B--S--121 0.1% --OS-N (remaining patterns each <100 hits)

161

Educate downstream partners• Some I2 sites/state networks are already

aware of the open proxy issue, and aredoing a good job getting the word out totheir downstream partners.

For example, see:http://www.more.net/security/advisories/2002/020304.html

You could do likewise...

162

Educate the carriers• If you buy transit bandwidth or negotiate

peering with carriers, don't miss thatopportunity to beat the drum about theproblem of open proxies. Carriers areNEVER more receptive to your feedbackthan when they're trying to make a sale.Insist that they describe the steps they taketo deal with open proxy abuse, and spam ingeneral, before you sign that P.O.

163

Finally...• You may want to become involved at the

state level in promoting anti-spam lawswhich address open proxy server abuse.

• Twenty six states have some sort of anti-spam law as of the start of this year -- howabout yours? (see http://spamlaws.com/ )

• If you don't have one, work with your stateAttorney General's office to get one passed,or volunteer to provide technical assistance.

164

X. Conclusion

165

Outcomes in a nutshell• We believe we have a steadily improving

understanding of how many open proxies areout there, where they are located, and howthey can be efficiently blocked using one ormore DNS blacklists.

• Many insecure open proxies are gettingclosed, although the problem is far from over.

• It is becoming steadily harder for spammersdegrade your email by sending "untraceable"spam.

166

Some future work• Open proxies without reverse addresses

need to be attributed to responsible entities.• Correlation of open proxies with

spamvertised URLs needs to be done toestablish what spamvertisers are using openproxies to send spam (this will beincreasingly important as states passlegislation making that behavior unlawful).

• Our data should be provided in formatsother than just a flat IP-sorted web page.

167

Acknowledgments• While I am solely responsible for the content and

opinions expressed in this document, I would like tothank a number of people who have provided invaluablesupport and/or technical assistance on this project,including Joanne Hugi, my boss and the Associate VPfor Information Service; Steve VanDevender and BobJones of the Computing Center Systems group; JonMiyake, Computing Center Acceptable Use Officer (andPerl expert); the whole Computing Center NetworkServices DNS crew (particularly John Kemp and JasonEdmiston); all the people who offer DNSBLs or otherantispam tools to the net; and my family, which haspatiently put up with my latest obsession.

168

Thank you!• Thanks for your patience with this long talk

so late in the day.• Questions?