lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <508918103.20060424125106@SECURITY.NNOV.RU>
Date: Mon Apr 24 09:51:15 2006
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Detecting anomaly in client software behaviour (Re[2]:
	Proxy Detection)

Dear Georgi Guninski,

There  are multiple ways to detect proxy without x-forwarded-for header.
Just few:

Application level:

1. Changed  HTTP  protocol.  Some browsers, including IE, use HTTP 1.1
with direct connection and HTTP 1.0 for proxy.
2. Changed  request  headers  in  browser (example is Accept: header in
Internet Explorer, which is different if proxy is used).
3. Proxy-specific   headers   modification.  E.g.  squid can easily be
detected regardless of X-Forwarded-For:
4. Changed  "border  values".  For  example,  'proximitron'  in  fully
transparent  mode  can  be  detected  by  limited  maximal length of GET
requeast.

Transport level:
1. Changed TCP 'PUSH' flag sequences because of different buffer layout
2. Changed  client port. By default Windows use limited range of ports for dynamic
assignment.  Client  port  with  high number in combination with Windows
browser indicates NAT or proxy.

Network level:
1. Passive  fingerprinting  techniques  (e.g. different default TTL for
Windows  and  Linux). If Windows browser request comes from Linux box it
indicates proxy (and only proxy, as NAT doesn't change TTL).

--Monday, April 24, 2006, 12:03:37 PM, you wrote to gluttony@...il.com:

GG> On Sun, Apr 23, 2006 at 01:48:45AM -0700, Andrew A wrote:
>> Tor does not give an x-forward-for.
>>

GG> some isps make transparent proxying mainly via squid.
GG> probably an exit node in such an isp may give proxy headers.



-- 
~/ZARAZA
http://www.security.nnov.ru/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ