| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Apr 24 09:51:15 2006 From: 3APA3A at SECURITY.NNOV.RU (3APA3A) Subject: Detecting anomaly in client software behaviour (Re[2]: Proxy Detection) Dear Georgi Guninski, There are multiple ways to detect proxy without x-forwarded-for header. Just few: Application level: 1. Changed HTTP protocol. Some browsers, including IE, use HTTP 1.1 with direct connection and HTTP 1.0 for proxy. 2. Changed request headers in browser (example is Accept: header in Internet Explorer, which is different if proxy is used). 3. Proxy-specific headers modification. E.g. squid can easily be detected regardless of X-Forwarded-For: 4. Changed "border values". For example, 'proximitron' in fully transparent mode can be detected by limited maximal length of GET requeast. Transport level: 1. Changed TCP 'PUSH' flag sequences because of different buffer layout 2. Changed client port. By default Windows use limited range of ports for dynamic assignment. Client port with high number in combination with Windows browser indicates NAT or proxy. Network level: 1. Passive fingerprinting techniques (e.g. different default TTL for Windows and Linux). If Windows browser request comes from Linux box it indicates proxy (and only proxy, as NAT doesn't change TTL). --Monday, April 24, 2006, 12:03:37 PM, you wrote to gluttony@...il.com: GG> On Sun, Apr 23, 2006 at 01:48:45AM -0700, Andrew A wrote: >> Tor does not give an x-forward-for. >> GG> some isps make transparent proxying mainly via squid. GG> probably an exit node in such an isp may give proxy headers. -- ~/ZARAZA http://www.security.nnov.ru/
Powered by blists - more mailing lists