research-article

RevProbe: detecting silent reverse proxies in malicious server infrastructures

Authors:

Rana Faisal Munir,

Irfan Khan Tanoli,

Christian Kreibich,

Juan CaballeroAuthors Info & Claims

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Pages 101 - 112

https://doi.org/10.1145/2991079.2991093

Published: 05 December 2016 Publication History

Abstract

Web service operators set up reverse proxies to interpose the communication between clients and origin servers for load-balancing traffic across servers, caching content, and filtering attacks. Silent reverse proxies, which do not reveal their proxy role to the client, are of particular interest since malicious infrastructures can use them to hide the existence of the origin servers, adding an indirection layer that helps protecting origin servers from identification and take-downs.

We present RevProbe, a state-of-the-art tool for automatically detecting silent reverse proxies and identifying the server infrastructure behind them. RevProbe uses active probing to send requests to a target IP address and analyzes the responses looking for discrepancies indicating that the IP address corresponds to a reverse proxy. We extensively test RevProbe showing that it significantly outperforms existing tools. Then, we apply RevProbe to perform the first study on the usage of silent reverse proxies in both benign and malicious Web services. RevProbe identifies that 12% of malicious IP addresses correspond to reverse proxies, furthermore 85% of those are silent (compared to 52% for benign reverse proxies).

References

[1]

Alexa. http://www.alexa.com/.

[2]

Apache. http://httpd.apache.org.

[3]

Dns-bh malware domain blocklist. http://www.malwaredomains.com/.

[4]

Errormint. http://sourceforge.net/projects/errormint/.

[5]

Halberd. https://github.com/jmbr/halberd.

[6]

Haproxy. http://www.haproxy.org/.

[7]

Htrosbif. http://mac.freecode.com/projects/htrosbif.

[8]

Httprecon. https://w3dt.net/tools/httprecon.

[9]

Httprint. http://www.net-square.com/httprint_paper.html.

[10]

Http_trace.nasl. http://plugins.openvas.org/nasl.php?oid=11040.

[11]

Http_version.nasl. http://plugins.openvas.org/nasl.php?oid=10107.

[12]

Malware domain list. http://www.malwaredomainlist.com/.

[13]

Nessus. http://www.tenable.com/products/nessus.

[14]

Nginx. http://nginx.org/.

[15]

Nikto2. https://cirt.net/Nikto2.

[16]

Nmap. http://nmap.org/.

[17]

OpenVAS. http://www.openvas.org.

[18]

Owasp cookies database. https://www.owasp.org/index.php/Category:OWASP_Cookies_Database.

[19]

Phpinfo manual. http://php.net/manual/en/function.phpinfo.php.

[20]

Pound. http://www.apsis.ch/pound/.

[21]

RIG exploit kit. https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/.

[22]

Scumware. http://www.scumware.org/.

[23]

Varnish. https://www.varnish-cache.org/.

[24]

Wafw00f. https://github.com/sandrogauci/wafw00f.

[25]

G. Barish and K. Obraczke. World Wide Web Caching: Trends and Techniques. IEEE Communications magazine, 38(5):178--184, 2000.

Digital Library

[26]

T. Book, M. Witick, and D. S.Wallach. Automated Generation of Web Server Fingerprints, 2013. http://arxiv.org/abs/1305.0245.

[27]

J. Caballero, M. G. Kang, S. Venkataraman, D. Song, P. Poosankam, and A. Blum. FiG: Automatic Fingerprint Generation. In Network and Distributed Systems Security Symposium, 2007.

[28]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. In ACM Conference on Computer and Communications Security, 2007.

Digital Library

[29]

D. Canali, D. Balzarotti, and A. Francillon. The Role of Web Hosting Providers in Detecting Compromised Websites. In International World Wide Web Conference, 2013.

Digital Library

[30]

W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic Protocol Description Generation from Network Traces. In USENIX Security Symposium, 2007.

Digital Library

[31]

R. Deraison. The Nessus Attack Scripting Language Reference Guide, 2000. http://virtualblueness.net/nasl.html.

[32]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999.

Digital Library

[33]

N. Gregoire. Traceroute-like http scanner, 2011. http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html.

[34]

C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Z. Rafique, M. A. Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker. Manufacturing Compromise: The Emergence Of Exploit-as-a-service. In ACM Conference on Computer and Communications Security, 2012.

Digital Library

[35]

T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and Detecting Fast-Flux Service Networks. In Network and Distributed Systems Security Symposium, 2008.

[36]

C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In ACM Conference on Computer and Communications Security, 2008.

Digital Library

[37]

C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-Cloaking Internet Malware. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[38]

D. W. Lee. HMAP: A Technique and Tool For Remote Identification of HTTP Servers. Master's thesis, University of California at Davis, 2001.

[39]

Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures. In IEEE Symposium on Security and Privacy, 2013.

Digital Library

[40]

E. Marcussen. HTTP Fingerprinting - The Next Generation. In OWASP AppSec, 2012.

[41]

A. Nappa, M. Z. Rafique, and J. Caballero. Driving in the Cloud: An Analysis of Drive-By Download Operations and Abuse Reporting. In SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2013.

Digital Library

[42]

A. Nappa, Z. Xu, J. Caballero, and G. Gu. CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers. In Network and Distributed System Security Symposium, 2014.

[43]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In USENIX Security Symposium, 2008.

Digital Library

[44]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In ACM Conference on Computer and Communications Security, 2009.

Digital Library

[45]

S. Shah. HTTP Fingerprinting and Advanced Assessment Techniques. In BlackHat Asia, 2003.

[46]

T. Vissers, T. V. Goethem, W. Joosen, and N. Nikiforakis. Maneuvering Around Clouds: Bypassing Cloud-based Security Providers. In ACM Conference on Computer and Communications Security, 2015.

Digital Library

[47]

D. Y. Wang, S. Savage, and G. M. Voelker. Cloak and Dagger: Dynamics of Web Search Cloaking. In ACM Conference on Computer and Communications Security, 2011.

Digital Library

[48]

M. S. Weant. Fingerprinting Reverse Proxies using Timing Analysis of TCP Flows. Master's thesis, Computer Science Department, Naval Postgraduate School, Monterey, CA, 2013.

[49]

N. Weaver, C. Kreibich, M. Dam, and V. Paxson. Here Be Web Proxies. In Passive and Active Measurement Conference, 2014.

Digital Library

[50]

P. Wurzinger, C. Platzer, C. Ludl, E. Kirda, and C. Kruegel. SWAP: Mitigating XSS Attacks Using a Reverse Proxy. In Workshop on Software Engineering for Secure Systems, 2009.

Digital Library

[51]

Z. Xu, A. Nappa, R. Baykov, G. Yang, J. Caballero, and G. Gu. AutoProbe: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis. In ACM Conference on Computer and Communications Security, 2014.

Digital Library

Cited By

Miao HZhou ZLi RShi FYang WLi SLiu Q(2023)Hunting for Hidden RDP-MITM: Analyzing and Detecting RDP MITM Tools Based on Network Features2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218180(1448-1453)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218180
Bux KYousaf MJalbani ABatool K(2021)Detection of Malicious Servers for Preventing Client-Side AttacksMehran University Research Journal of Engineering and Technology10.22581/muet1982.2101.2040:1(230-240)Online publication date: 1-Jan-2021
https://doi.org/10.22581/muet1982.2101.20
Kondracki BAzad BStarov ONikiforakis NKim YKim JVigna GShi E(2021)Catching Transparent Phish: Analyzing and Detecting MITM Phishing ToolkitsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484765(36-50)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484765
Show More Cited By

Index Terms

RevProbe: detecting silent reverse proxies in malicious server infrastructures

Recommendations

Accurate DNS query characteristics estimation via active probing

As the hidden backbone of today's Internet, the Domain Name System (DNS) provides name resolution service for almost every networked application. To exploit the rich DNS query information for traffic engineering or user behavior analysis, both passive ...
Active Botnet Probing to Identify Obscure Command and Control Channels
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

We consider the problem of identifying obscure chat-like botnet command and control (C & C) communications, which are indistinguishable from human-human communication using traditional signature-based techniques. Existing passive-behavior-based anomaly ...
Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS Analysis
WWW '24: Proceedings of the ACM Web Conference 2024

Over the last few years, the adoption of encryption in network traffic has been constantly increasing. The percentage of encrypted communications worldwide is estimated to exceed 90%. Although network encryption protocols mainly aim to secure and protect ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

December 2016

614 pages

ISBN:9781450347716

DOI:10.1145/2991079

Conference Chair:
Stephen Schwab
USC Information Sciences Institute
,
Program Chairs:
Wil Robertson
Northeastern University
,
Davide Balzarotti
Eurecom

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '16

Sponsor:

ACSA

ACSAC '16: 2016 Annual Computer Security Applications Conference

December 5 - 8, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
247
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)3

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Miao HZhou ZLi RShi FYang WLi SLiu Q(2023)Hunting for Hidden RDP-MITM: Analyzing and Detecting RDP MITM Tools Based on Network Features2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218180(1448-1453)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218180
Bux KYousaf MJalbani ABatool K(2021)Detection of Malicious Servers for Preventing Client-Side AttacksMehran University Research Journal of Engineering and Technology10.22581/muet1982.2101.2040:1(230-240)Online publication date: 1-Jan-2021
https://doi.org/10.22581/muet1982.2101.20
Kondracki BAzad BStarov ONikiforakis NKim YKim JVigna GShi E(2021)Catching Transparent Phish: Analyzing and Detecting MITM Phishing ToolkitsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484765(36-50)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484765
Vermeer MWest JCuevas ANiu SChristin NVan Eeten MFiebig TGañán CMoore T(2021)SoK: A Framework for Asset Discovery: Systematizing Advances in Network Measurements for Protecting Organizations2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00037(440-456)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00037

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents