background web proxies
play

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes - PowerPoint PPT Presentation

Dec 18, 2022 •286 likes •629 views

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes

  1. Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu

  2. Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained are distinguishable may be heavily abused Service blocking or degradation

  3. Background: Residential IP Proxy as a Service

  4. Background: Residential IP Proxy as a Service Millions of Clean IPs, Residential IPs Never Get Blocked Globally No Distributed Tra ffi c Limits

  5. Outline Service Service Service Service Service Service Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Overview Overview Overview Overview Overview Overview Residential Residential Residential Residential Residential Residential Are proxy peers Are proxy peers Are proxy peers Are proxy peers Are proxy peers Are proxy peers or Not or Not authentically residential IP addresses? authentically residential IP addresses? authentically residential IP addresses? or Not authentically residential IP addresses? authentically residential IP addresses? authentically residential IP addresses? or Not or Not or Not How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or Evasiveness Evasiveness Evasiveness Evasiveness Evasiveness Evasiveness blocking? blocking? blocking? blocking? blocking? blocking? Recruitment Recruitment Recruitment How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? Recruitment Recruitment Recruitment How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? Usage Usage Usage What are those proxies used for, in the real world? What are those proxies used for, in the real world? Usage Usage Usage What are those proxies used for, in the real world? What are those proxies used for, in the real world? What are those proxies used for, in the real world? What are those proxies used for, in the real world? Misc. Findings Misc. Findings Misc. Findings Collusion, Local traffic, etc. Collusion, Local traffic, etc. Collusion, Local traffic, etc. Misc. Findings Misc. Findings Misc. Findings Collusion, Local traffic, etc. Collusion, Local traffic, etc. Collusion, Local traffic, etc.

  6. Service Overview: How it works facebook.com google.com amazon.com Scripts Proxy Gateways Proxy Customer Destinations Residential Proxy Peers

  7. Service Overview: How it works Back-connect proxy model, proxy peers are hidden from customers HTTP/HTTPS/SOCKS Multiple rotating strategies: sticky & non-sticky Proxy Gateways Allow customers to customize location of proxy peers Residential Proxy Peers

  8. Service Overview: Scale Http Request Http Request Controlled Purchased Controlled Web Clients RPaaS Networks Web/DNS Servers Http Response Http Response Each request is identified Each request/response by a unique subdomain has payload encrypted and signed Provier Price Payment Infiltration Period Proxies Online $25/GB Paypal 07/06/2017 - 11/24/2017 Geosurf $300/month Paypal 09/17/2017 - 10/22/2017 ProxyRack $40/month Bitcoin 09/18/2017 - 11/24/2017 Luminati $500/month Paypal 09/25/2017 - 11/01/2017 IAPS Security $500/month Bitcoin 09/23/2017 - 11/01/2017

  9. Service Overview: Scale Http Request Http Request Controlled Purchased Controlled Web Clients RPaaS Networks Web/DNS Servers Http Response Http Response Each request is identified Each request/response by a unique subdomain has payload encrypted and signed 60+ millions of successful probes 6.2 millions of unique IPv4 addresses 238 countries/regions, 52K+ ISPs.

  10. Service Overview: Distribution 4096 * 4096 bitmap Each /24 IPv4 prefix is mapped to a pixel, using Hilbert curve of order 12 Di ff erent pixel colors denote # of proxy IPs for a given /24 prefix

  11. Service Overview: Distribution

  12. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs GT sources of various noise levels Clean GT for training, noisy for evaluation # IPs 
 # /16 Source Label # /8 # Training Manual resi-clean 79 25 19 79 Device Search Engine resi-clean 89,345 13,525 195 9,921 Trace My IP resi-noisy 37,480 11,402 213 0 Filtered IP Whois resi-noisy 23,264,961 394 31 0 IoT Botnets resi-noisy 1,699,291 20,112 200 0 Public Clouds non-resi-clean 53,716,321 968 99 5,000 Alexa Top1M non-resi-clean 442,989 14,365 213 4,481 Commercial Proxies non-resi-clean 519 71 44 519 non-resi-noisy 148,509 14,004 204 0 Public Proxies

  13. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs Residential IPs/prefixes are usually Residential IPs/prefixes tend to be web clients instead of servers directly managed by ISPs Capture web activities 35 features Capture network hierarchy DNS Records & For example, number of Capture Historical IP Whois TLD+3 domains mapped to evolution by time the parent /24 IP prefix

  14. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs Random Forest Classifier ML Classifier Training/Tuning Recall: 97.12% 10K residential & Precision: 95.61% 10K non-residential IPs

  15. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs 5.9M (95.22%) of 6.2M predicted as residential IPs

  16. Evasiveness Recognized as Identified as proxy? malicious?

  17. Evasiveness Recognized as Identified as proxy? malicious? Tor relays Free web proxies Only 0.06% of 6.2M IPs IP2Proxy LITE Publicly available proxy dataset

  18. Evasiveness Recognized as Identified as proxy? malicious? Botnet bots Only 2.20% of 6.2M IPs Spamhaus EDROP Open Threat Exchanges Publicly available IP threats

  19. Recruitment Identify legitimate Are those proxy peers voluntary users? recruitment programs Any IoT devices? IP Profiling Identify What programs are used to proxy tra ffi c? proxy programs

  20. Recruitment Identify legitimate recruitment programs Only Luminati was found to recruit users through Hola programs IP Profiling And Hola programs were reported as problematic in previous studies Identify proxy programs

  21. Recruitment 550K got 730K IPs responded to device type identified our banner grabbing Identify legitimate All providers got suspicious IoT devices recruitment programs identified for their proxy IPs, including Luminati Num Num Device Type (%) Device Vendor (%) router MikroTik 114,768 48.42 86,593 36.53 firewall Huawei 25,088 10.58 37,545 15.84 IP Profiling WAP BusyBox 24,470 10.32 18,337 7.74 gateway Technicolor 22,003 9.28 16,866 7.12 broadband SonicWall 17,358 7.32 14,122 5.96 router router webcam Fortinet 13,024 5.49 9,190 3.88 security-misc Dahua 10,608 4.48 6,258 2.64 Identify DVR ZyXEL 4,249 1.79 5,601 2.36 media device proxy programs AVM 2,589 1.09 5,272 2.22 storage-misc Cyberoam 1,988 0.84 4,558 1.92

  22. Recruitment Accurate Identify legitimate Correlation recruitment programs Tra ffi c logs of Tra ffi c logs of potentially Infiltration probes unwanted programs (PUP) 67 PUP samples identified IP Profiling Proxy programs are found for all 5 providers Identify 50 of them were flagged by anti-virus engines proxy programs

  23. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Phishing 14% ntkrnlpa.cn, gwf-bd.com, Malware fadergolf.com, 47% www.2345jiasu.com, www.pf11.com, Malicious 39%

  24. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% 60% Value Axis 40% 20% 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

  25. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% A ffi liate networks : tracking.sumatoad.com, 60% click.howdoesin.net, www.alexacn.cc, and click.gowadogo.com. Value Axis 40% Mobile advertising, in-app advertising, video advertising, ad exchanges: ads.stickyadstv.com, counter.yadro.ru, and 20% adskpak.com. 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

  26. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% 60% Value Axis 40% Google Search, Bing Search, Baidu Search, Yandex 20% 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Executive Summary Database Proxies: Improves SQL read/write performance and

1 Executive Summary Database Proxies: Improves SQL read/write performance and

1 Executive Summary Database Proxies: Improves SQL read/write performance and reliability Deployment requires no application changes Demo 2 IMDG vs. Database Proxies Feature ProxySQL Automated Failover

335 views • 17 slides
Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that

Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that

C152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies Special metaprogramming

594 views • 24 slides
Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies

380 views • 27 slides
Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of Colorado Boulder Proxies Censored User obfs3 proxy Censor-Controlled Network Active Probing obfs3?? Lets confirm! Censored User obfs3 proxy

479 views • 46 slides
Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet

Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet

Free Technology Workshop Internet Privacy Proxies, VPNs and Tor for private communications in the public Internet Organised by Steven Gordon Room RS401 9am - 12noon Friday 20 June 2014 http://ict.siit.tu.ac.th/moodle/ Demos and Tasks

684 views • 10 slides
Climate Change: What Should We All Do Now? June 27, 2019 Core Samples and Proxies Tell the Story

Climate Change: What Should We All Do Now? June 27, 2019 Core Samples and Proxies Tell the Story

To help protect your privacy, PowerPoint has blocked automatic download of this picture. Climate Change: What Should We All Do Now? June 27, 2019 Core Samples and Proxies Tell the Story of Past Levels of CO2 Concentration Paleogeography 56

122 views • 10 slides
Using Proxies to Accelerate Cloud Applications Siddharth Ramakrishnan Jon Weissman Department

Using Proxies to Accelerate Cloud Applications Siddharth Ramakrishnan Jon Weissman Department

Using Proxies to Accelerate Cloud Applications Siddharth Ramakrishnan Jon Weissman Department of CSE University of Minnesota Introduction Cloud ecosystem (Gannon 2009) SAAS: (Google Spreadsheet, Gmail) I/P-AAS: (Virt: EC2/S3,

389 views • 19 slides
ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State

ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State

CS 252: Advanced Programming Language Principles ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State University Fixing JavaScript ECMAScript committee formed to carefully evolve the language.

558 views • 43 slides
ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State

ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State

CS 152: Programming Language Paradigm ES6 JavaScript, Metaprogramming, & Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1 more

695 views • 37 slides
An Efficient Loop-Detection Algorithm for SIP Proxies

An Efficient Loop-Detection Algorithm for SIP Proxies

An Efficient Loop-Detection Algorithm for SIP Proxies draft-campen-sipping-stack-loop-detect-00.txt Byron Campen Estacado Systems The Algorithm in Brief All nodes have a unique number(node value) Requests will contain a stack of node

519 views • 6 slides
Outline Numeracy Proxies and Practices: Studies in Approximations of the "Real" I.

Outline Numeracy Proxies and Practices: Studies in Approximations of the "Real" I.

Outline Numeracy Proxies and Practices: Studies in Approximations of the "Real" I. Context of the work II. Guiding literature A. Social practices B. Assessment validity III. The study IV. Findings and implications Luke Tunstall

997 views • 62 slides
Long-term Variaon of the Coupling between Solar Proxies: Coupled Oscillators Approach Anton

Long-term Variaon of the Coupling between Solar Proxies: Coupled Oscillators Approach Anton

Long-term Variaon of the Coupling between Solar Proxies: Coupled Oscillators Approach Anton Savosanov, Alexander Shapoval, Mikhail Shnirman NRU Higher School of Economics, Laboratory of Complex Systems Modelling and Control Instute of

499 views • 20 slides
SOCKS overTURNed RP86: Using TURN relays as Proxies Sean Liao 1 SOCKS Not short for

SOCKS overTURNed RP86: Using TURN relays as Proxies Sean Liao 1 SOCKS Not short for

SOCKS overTURNed RP86: Using TURN relays as Proxies Sean Liao 1 SOCKS Not short for anything Widely supported generic proxy protocol Layer 4 SOCKS4 (1992) / SOCKS4a: TCP SOCKS5 (1996, RFC 1928): TCP & UDP 2

434 views • 26 slides
Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 252: Advanced Programming Language Principles Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University ECMAScript Schism ECMAScript 4 was divisive A group broke off to create ECMAScript 3.1

480 views • 32 slides
Coevolution of Simulator Proxies and Sampling Strategies for Petroleum Reservoir Modeling Tina

Coevolution of Simulator Proxies and Sampling Strategies for Petroleum Reservoir Modeling Tina

Coevolution of Simulator Proxies and Sampling Strategies for Petroleum Reservoir Modeling Tina Yu Memorial University of Newfoundland, Canada Dave Wilkinson Chevron Energy Technology Company, USA Outline Reservoir Modeling and History

461 views • 21 slides
Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of

Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of

Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of California, Berkeley Tor (The Onion Router) Anonymous network Poorly suited for censorship circumvention Including bridges + pluggable transports

577 views • 21 slides
Computational Linguistics: Feature Agreement Raffaella Bernardi Contents First Last Prev

Computational Linguistics: Feature Agreement Raffaella Bernardi Contents First Last Prev

Computational Linguistics: Feature Agreement Raffaella Bernardi Contents First Last Prev Next Contents 1 Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Formal

459 views • 41 slides
Symbolic Execution of Debian Packages Nicolas Jeannerod nicolas.jeannerod@irif.fr joint work

Symbolic Execution of Debian Packages Nicolas Jeannerod nicolas.jeannerod@irif.fr joint work

Symbolic Execution of Debian Packages Nicolas Jeannerod nicolas.jeannerod@irif.fr joint work with Benedikt Becker, Claude March Yann Rgis-Gianas, Mihaela Sighireanu, Ralf Treinen IRIF, Universit de Paris September 9, 2019 13th Alpine

886 views • 67 slides
CS786: Lecture 1 May 1st Basics: review of probability theory 1 CS 786 Lecture Slides (c)

CS786: Lecture 1 May 1st Basics: review of probability theory 1 CS 786 Lecture Slides (c)

CS786: Lecture 1 May 1st Basics: review of probability theory 1 CS 786 Lecture Slides (c) 2012 P. Poupart Theories to deal with uncertainty Dempster-Shafer theory Fuzzy set theory Possibility theory Probability theory

143 views • 10 slides
CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall

CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall

CS 423 Operating System Design: Overview and Basic Concepts Professor Adam Bates Fall 2018 CS423: Operating Systems Design Goals for Today Learning Objectives: Introduce OS definition, challenges, and history Announcements:

416 views • 29 slides
Field of values error estimates for evaluating functions of matrices via the Arnoldi method

Field of values error estimates for evaluating functions of matrices via the Arnoldi method

Field of values error estimates for evaluating functions of matrices via the Arnoldi method Bernhard Beckermann http://math.univ-lille1.fr/ bbecker Laboratoire Paul Painlev e UMR 8524 ( equipe ANO-EDP) UFR Math ematiques,

171 views • 15 slides
Generating Referring Expressions in Open Domains Advaith Siddharthan & Ann Copestake

Generating Referring Expressions in Open Domains Advaith Siddharthan & Ann Copestake

g Generating Referring Expressions in Open Domains Advaith Siddharthan & Ann Copestake as372@cs.columbia.edu & aac10@cl.cam.ac.uk Advaith Siddharthan. Index p.1/40 Structure of Talk1 g Motivation Attribute Selection The

444 views • 40 slides
Syntactic Theory Typed Feature Structures (TFS) Yi Zhang, Antske Fokkens Department of

Syntactic Theory Typed Feature Structures (TFS) Yi Zhang, Antske Fokkens Department of

Syntactic Theory Typed Feature Structures (TFS) Yi Zhang, Antske Fokkens Department of Computational Linguistics Saarland University December 8th, 2009 Zhang, Fokkens (Saarland University) Syntactic Theory 08.12.2009 1 / 23 Type Hierarchy

862 views • 25 slides
XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 &

XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 &

XMG: a tool for implementing frames Timm Lichte 1 , Simon Petitjean 2 , Laura Kallmeyer 1 & Younes Samih 1 1 University of Dsseldorf, Germany, and 2 Universit dOrlans, France CTF14, August 26, 2014 SFB 991 1 / 24 Table of contents 1

492 views • 24 slides

More recommend