Re: Prevent proxy chaining

["Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>]

You may check http headers such as x-refferer, forwarded-by,... and
other headers added by proxies. Unfortunatly, every proxy add its own
header and may even not add headers at all. Such a filter would leave
you with some false negatives (you'll not catch hackers).

An other alternative would be to check there is only one agent type per
ip address. As a single user may use netscape and ie on the same
computer, you'll get a high false positive rate. Additionaly your
customer's proxy or personal firewall may hide agent type or any other
http header, thus, high false negative rate.

You could also check for the source port. NT (and many others) are using
a low sourceport, between 1024 and 2-3000 (considering the workstation
is shutdown every day). There is a chance proxy servers are not rebooted
so often, so blocking proxy access from ports higher than 4000 or 5000
would block proxies... and unix workstations. Has for the previous
solution, high false and negative rates.

You could also scan the client's ip for an open 1080,8080,8000 or 80
port during the first proxy access and discard this address for a while
if it answers something. You'll get high negative rates as (personal)
firewalls would block such connections. You should check you contracts
allows you to scan your customers

As far as I can imagine, there are no efficient way of blocking proxy
chaining. I guess you want to avoid companies with 10 or 20 pcs using a
low-end internet connection instead of purchasing a business access.
Most (personal guess) of these companies have low IT knowledge and the
first solution should fit your need.

> How can I identify wether the client is a client or a proxy?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards