Re: Prevent proxy chaining

[Srinivasa Addepalli <srao () intotoinc com>]

As I understand, you want to differentiate the client-to-proxy and
proxy-to-proxy traffic. 

Typically proxies run on port 80 too.
Whenever your firewall gets the port 80 request (SYN), you can 
do reverse HTTP connection ie send TCP connect to source IP. If it
succeeds, it can be assumed that, the request came from proxy and 
your firewall can log a message to the administartor or possibly
block the request. This scheme does not work, if client machine requires
HTTP server.

Srini

On Mon, 6 May 2002, Siebenkaes Stefan wrote:

> Hi there,
>
> what actions do you take to prevent proxy-chaining?
> Due to billing and security reasons we do not want 
> to let people build own proxy servers to chain them
> via our central proxy farm.
> How can I identify wether the client is a client
> or a proxy? Is there a best practice?
>
> I could watch volume or hits/second, but AFAIK
> theres no need for a proxy to identify as proxy...
>
> Bye,
>   Stefan
>
>
>
> --
> Stefan Siebenkaes
> Systemingenieur
> Security
> Systemarchitektur & Plattformen
>
> ITELLIUM 
> Systems & Services GmbH
> Hundingstrasse 11b
> 90431 Nuernberg
> Germany
>
> Tel.: +49-911-14-20209
> Fax.: +49-911-14-26433
> mailto:stefan.siebenkaes () itellium com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
Srinivasa Rao Addepalli
Intoto Inc. (Enabling Security Infrastructure)
3160, De La Cruz Blvd #100
Santa Clara, CA
USA

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards