Re: Proxy Port detection

[Alexander Klimov <alserkli () inbox ru>]

On Wed, 22 Dec 2004, John Madden wrote:
> In our enterprise we have URL filtering capabilities and we restrict the usual
> sites (Porn, Sports, Gambling etc..)
>
> We do not use a proxy, so everyone goes directly to the internet.

Curiously, how do you filter URLs without a proxy?

> I believe that some users put in their proxy settings
> an anonymous proxy using port 80 (which is obviously
> allowed) and in that manner avoid the restriction of
> the URL filtering.
>
> First thoughts:
>
> - Blocking all the anonymous proxy is imposible and
> would be a full time job
> - The use of a proxy is not an option right now

If it is not an option only because you do not want to force everybody to change
their web browsers setups you can use transparent proxy.

> Is there any way to detect this type of traffic (HTTP-Proxy) ?

If the following request

GET /url HTTP/1.1
Host: some.host.name

was sent to IP a.b.c.d which does not belong to some.host.name it is likely that
a.b.c.d hosts a proxy. But since DNS can report differnt IPs for the same
domain it's not that easy to check if an IP serves some particular domain.

Note that if you allow encrypted connections (https) you can't inspect their
contents. Also if your user has a webserver A outside they can setup it to make
a request on behalve of the user with a translation of urls, e.g., http://B/url
is encoded as http://A/B,port/url, A sends request to B and sends the reply to
your user (and change all embeded urls). A can also encode all documents (with
an embeded JavaScript to auto-decode) to avoid content filtering. So, you should
consider how far you want to go into these troubles with rather marginal ROI
into enforcing the policy.

-- 
Regards,
ASK