hosts specifically set up to attract abuse, have been around since at least
1990. Typically, they have been used to detect attacks against various
network services, such as SMTP or SSH, but have not been very successful at
detecting a wide range of web application attacks. Open proxy honeypots
provide a more attractive target for malicious web traffic. Combining
several open proxies leads to the Distributed Open Proxy
Honeypots (DOPH) project which centralizes the monitoring of open proxies
installed all over the globe.
Standard honeypot techniques do not provide much of interest to a web
attacker, there is no high profile website to deface or high value
information stored there. The honeypot is unlikely to be able to respond
correctly to attempts to probe for vulnerable web applications. This makes
it difficult to gather information on the variety of web attacks that are
being used "in the wild". What is needed is a way to listen in on
malicious traffic, which is exactly what a proxy can do.
A proxy is simply a program that forwards traffic for a client. It sits in
the middle of the conversation, sending the client requests to the server
and forwarding the server replies back to the client. As far as the server
can see, it is only talking to the proxy system, it cannot tell that there
is a client elsewhere actually making the requests.
Proxies exist for a number of reasons, SOCKS is used to traverse
firewalls, whereas anonymizers are used to obscure the origin of web
traffic. There are also less visible proxies for load balancing or to get
call. Most proxies have rules that govern who can use them and what
destinations are legitimate, without those rules, it becomes an open
Probably the most famous open proxy was the default configuration of
sendmail (before version 8.9.0 in 1998) which would forward email to and
from any destination. Before the explosion of spam, it was considered
neighborly to relay mail for anyone who asked.
A system configured as an
open proxy for web traffic can record information about what it sees, with
luck some portion of it will be malicious. But there is a subtle problem
with this approach, the proxy host may be facilitating attacks on
vulnerable web servers, attacks which appear to originate with the proxy.
There is also concern
that recording the "conversation" could run afoul of wiretapping laws.
These problems require an open proxy honeypot, at least one that wants to
avoid legal trouble, to take some steps to minimize them.
Informing someone that you are recording is typically enough to avoid
wiretapping violations, so the DOPH project uses two separate warnings.
The first is on the proxy host's webpage, but since most malicious users
will never see that page, an additional warning was added to the HTTP
headers returned by the host. Typically only programs see those headers,
but it is, at least, an attempt to inform the recorded party.
A much more difficult problem is to stop "bad" traffic while proxying
"good" traffic. The proxy must seem to function correctly or it
will never be used, but honeypot operators are interested in stopping web
abuse, so they want to minimize the chances of being used in a real
attack. It is a very fine line, they want the bad traffic to study, but
not to pass on.
The DOPH project uses the ModSecurity module for the Apache
webserver to filter content based on a set of rules maintained by
Got Root. The rules specify the signature of various attacks which causes
ModSecurity to flag them as it inspects the website traffic. To try to
fool attackers and/or their programs, a HTTP 200 (OK) status is returned
when an attack is detected. The ModEvasive Apache
module is also used to detect and stop the proxy being used in a denial of
Fully configured versions of the proxy are available from the project
as VMware images that can be run using the "free as in beer" VMware server
software. The DOPH proxy communicates back to a central data collection
server, sending the ModSecurity audit log information. This allows the
project to aggregate the information to determine what kinds of attacks are
currently ongoing. A Web
Security Threat Report (PDF), covering the first few months of the
project, was released in April. Seven, geographically diverse, hosts
participated during the first reporting period and the project is always
looking for more people, willing to run proxy hosts, to increase their data
Open proxies are used by attackers to mask their true location. It is
not uncommon for a chain of proxies to be used, as it makes it more
difficult to track back to the originator. If the chain crosses borders,
using proxy servers in different countries, each with its own set
of laws and procedures to access the server log files, it makes it that much
harder. The DOPH project does not specify how they publicize their
proxies, that might be giving too much information to attackers, but during
the first four months of 2007, their servers handled around a million web
requests of which roughly 20% was malicious or suspicious.
Attackers are likely to get more sophisticated over time and their tools
will get better at recognizing these kinds of techniques, but there is
still value in gathering the data. The proxy techniques will evolve as
well which will allow statistics to be gathered and new attacks to be
spotted. As the attackers recognize the threat, they will be more inclined
to use proxies in an attempt to mask their location, which provides a kind
of feedback loop driving more traffic to the honeypots. Open proxy
honeypots cannot and will not fool all of the attacks, but they provide a
way to study some of them.
to post comments)