Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How to identify if you are behind a "Transparent Proxy"

Published: 2012-12-06
Last Updated: 2012-12-06 03:25:35 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Traveling a lot? You may still be one of the unlucky few who not only connects to hotel networks regulary, but doesn't have easy access to a VPN to bypass all the nastyness they introduce. In addition, even some "normal" ISPs do introduce a feature called "transparent proxy" to manage traffic. Transparent proxies are nice in that they are easy to setup up and invisible ("transparent") to the user. However, the browser isn't aware of them, and as a result the transparent proxy even if configured non-malicious can still cause confusion bout the same origin policy browser depend on to isolate web sites from each other.

A transperent proxy works in conjunction with a firewall. The firewall will route traffic to the proxy, but changing the desitination IP address of the packet to the proxy's IP address. The proxy now relies on the "Host" header to identify the target site. As a result, the relationship between IP address and host name that the client established is lost.

There is a pretty simple test to figure out if you are behind a simple transparent proxy: Telnet to a "random" IP address (e.g. 192.0.2.1) on port 80. Then, copy/past a simple HTTP request, that includes the host header (the part you type is shown in bold font:

telnet 192.0.2.1 80
Trying 192.0.2.1...
Connected to 192.0.2.1 (192.0.2.1).
Escape character is '^]'.
GET /infocon.txt HTTP/1.1
Host: isc.sans.edu
 
If this works, and you are connected to "isc.sans.edu" and not "192.0.2.1" (which doesn't exist), then you are behind a proxy. The response may now also include headers inserted by the proxy. For example (abbreviated):
 
HTTP/1.1 200 OK
Date: Thu, 06 Dec 2012 03:05:12 GMT
Content-Length: 5
...
Content-Type: text/plain; charset=UTF-8
Via: 1.0 localhost:3128 (squid/2.7.STABLE9) <--- PROXY HEADER
 
 
And other similar headers. (X-Cache-Lookup, X-Cache ...)
 
If https connections are proxied, you will also see SSL warnings. Disconnect if you see them. Using an "open" internet connection without a VPN to tunnel you back to the safety of the known-evil home ISP is your best choice. There are plenty of decent options. Some home routers now include either OpenVPN or IPsec gateways. Personally, I like OpenVPN, but for mobile devices, IPsec is more common. You may need both anyway as some special-evil networks block VPN connections. OpenVPN for example can even work by encapsulating your TCP/IP traffic in HTTP requests that will be passed along by an evil transparent proxy. Setting up a PPP connection over SSH is another option, but it is less supported by non-linux clients. Of course, you should still use SSL to connect to critical services to get an end-to-end authenticated and encrypted tunnel.
 
------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

6 comment(s)
Diary Archives