|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Open relays and open proxies
Hi Adi, #I am seeing an increasing number of hosts on our network become an open #proxy. So far the response to this has been reactive, once I receive #complaints from spam victims I deal with the source of the problem. The sheer act of having an abuse address and acting on reports received on it puts you a leg and a half up on a number of other service providers who have chosen to studiously ignore abused open proxies on their networks. #Is there an accepted way of blocking open proxy and open relay traffic at #the network edge? I think this is going to be an increasingly difficult problem to attack via blocks on specific ports; that is, while some folks may suggest blocking 1080/tcp, 3128/tcp, 5490/tcp, 6588/tcp, 8080/tcp, etc., you should be aware of an emerging class of viruses which are designed to create open proxies on uncommon and non-standardized high numbered ports which can then be exploited by the party controlling that virus (sort of a "make proxy hosts to order" operation). Jeem is probably the canonical example of this. The sheer magnitude of the problem also argues against manual construction of ACL's on a host-by-host basis; to date, having looked at this issue for maybe six months now, I believe the number of *known* open proxies is on the order of 120K hosts, few of which are sequentially disposed into nice CIDR-able netblocks (unless you're okay with the concept of lumping sheep with goats in the case of some thoroughly larded ISPs, if I may mix my metaphors). What's really needed is some way to take open proxy DNSBL data and instantiate a dump of that data onto a suitable appliance. It is probably too much state to burden a reasonable sized border route with, but you could imagine other devices that could probably handle it (at least for moderate speed flows), much as there are currently middle boxes which rip open packets to target peer to peer traffic. If you're interested in the issue of open proxies, you may want to see the paper I presented this April in Arlington VA at the Internet2 Member Meeting entitled "The Open Proxy Problem." Since that was a "suit" meeting, the talk backfills a bit about proxies at the start, but you can flip through the bits that are old news pretty easily. PDF and PowerPoint versions are available online at http://darkwing.uoregon.edu/~joe/proxies/ Regards, Joe St Sauver ([email protected]) University of Oregon Computing Center
|