Open relays and open proxies

Richard Cox Richard at mandarin.com
Thu Apr 24 20:35:31 UTC 2003


On 24 Apr 2003 14:11:12 -0500 (CDT), Adi Linden <adil at adis.on.ca> asked:

| I am seeing an increasing number of hosts on our network become an open
| proxy. So far the response to this has been reactive, once I receive 
| complaints from spam victims I deal with the source of the problem.
| 
| Is there an accepted way of blocking open proxy and open relay traffic
| at the network edge?

It's been established by several people that a number of recent viruses
(such as jeem, sobig.a; see http://www.lurhq.com/sobig.html) are used to
install or pave the way for remote installation of abusable proxies.

Because those installed proxies do NOT listen any consistent port number
you cannot rely on even proactive port-scanning to identify the proxy.
What the proxy does is to "phone home" and report its IP and port: so
detecting it by that behaviour will not always be straightforward.

Therefore if you get a complaint about virus activity from a user IP
it should be regarded as a free-of-charge heads-up that there may very
soon be an open proxy on that machine.  As you'll see from the above URL,
the installation process is not immediate and therefore you may need to
develop a working procedure to analyse the situation as it develops.

If I could amplify Joe St Sauver's point, having an working and trusted
abuse address is half the battle; having a trained team who can spot the
signs and act on them *in a timely way* is the other, and perhaps more
important half.  Remember that your reports will be likely to be coming
from the other side of the planet, and may therefore not observe your
local office hours.  24hr coverage by abuse staff (or by NOC staff who
can oversee the mailbox for relevant reports) is a great bonus here.
If you can deal with the situation quickly, you reduce the complaints
to a bare minimum and enhance your own reputation in the process.

SpamCop, for all the criticism it gets, DOES report abused proxies
quickly and with great reliability - far more reliably in the case
of proxies than, say, the human victims of the abuse.  It might pay
to set up a special process with Spamcop to get those reports at an
unpublished box, and put them through an automated process to spot
any with the "proxy" keywords.

One other point to note is that a lot of the scanning for installed
trojans, such as Netbus and Sub-Seven, is specifically done to install
proxies using tools such as Firedaemon (actual cases of this have been
found, where the user had no knowledge of the Firedaemon and Analog-X
installations on their machine).  Reports of THIS type of activity need
to be taken seriously, as the person who reports it (usually from a
firewall log) will be the one that escaped, but how many users in that
same /24 did not have a firewall and therefore got hit?  A selection of
scanner-traps sitting on spare IPs will alert you to what's going on.
When you find out how MUCH of it is going on right now, it will become
obvious why there are so many open proxies being complained about.

On our DSL lines we provide the firewall and insist on it being used!

-- 
Richard Cox








More information about the NANOG mailing list