1

This is past experience, and is not the case anymore since I am a programmer now and have nothing to do with security anymore. However in the past I had a person constantly trying to make comments of spam type (definitely a troll and not a bot). So I have blocked his ip. Lo and behold he comes back saying that I can't block him because he has more proxies he can use. I didn't know about existence of IT Security then, and now that I have found it, I can ask you guys here. This has happened in the past, and is not true anymore. But I am wondering is there a way I might have been able to track the person hiding behind proxies.

Quillion
  • 1,134
  • 5
  • 16
  • 25

2 Answers2

6

A proxy is a system which relays communications. From your server, you see the communication as coming from the proxy machine. The IP address you see is the one of the proxy. If you block that IP, you block all traffic coming from that proxy, but no traffic from elsewhere. If the villain switches to another proxy, he will pass.

Some HTTP proxy add a header line X-Forwarded-For which identifies the true source IP address. Note, though, that if the proxy system is under control of the perpetrator, then he can configure it not to include that header, or, worse, to include a fake X-Forwarded-For value.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • So then by using proxies you can commit unspeakable crimes and the wrong person will be blamed? IS there no way to catch the evil mastermind? – Quillion Jul 04 '13 at 17:45
  • 2
    Good hackers hop through a chain of proxies throughout the world (the proxies being subverted home computers, with no logs) and would remain uncaught, except that they are also human and almost always end up making some mistake, usually boasting about their so-called M4d Sk1llz somewhere. – Tom Leek Jul 04 '13 at 17:54
2

+1 for X-Forwaded-For and riders.

Proxy or not, with enough examples of attacks to work from, it may be possible to close in on the sources. For example, a report this year from information security company Mandiant (http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) identified individuals and very precisely the part of a building in China as a source of significant cyber attacks. If you can obtain information from attackers such as language examples, user ID's, email addresses, it can lead to their other activities and interests that enrich the amount of information about them to refine the hunt.

In the case of a harassing spammer, identifying patterns to their activity (forum user ID patterns, what gets completed on a forum profile [all fields including ICQ number was a tell for us], text content, time of day, country etc.) so as to develop rule based blocking, preferably to block their IP or IP range immediately at the firewall, could be effective long enough for them to get bored and move on to a more fun target.

Nick
  • 521
  • 3
  • 8