Cyber Security Awareness Month - Day 13 Proxies (TCP 3128, 8080 & ......)

Published: 2009-10-13
Last Updated: 2009-10-13 11:51:59 UTC
by Mark Hofman (Version: 1)
2 comment(s)

Proxy servers are used to manage access to the Internet in companies.  It is a tool to check, control, report and otherwise manage staff access to the Internet and is an important tool to enforce policies.  There are numerous products on the market, the more well known ones are of course Squid and Microsoft's ISA.  They are typically deployed either in the Internal network or in the DMZ or in both zones.  The ports used are typically 3128, 8080 and 80, however like any TCP application any port can be used. 

Proxies do have their evil twins, Open Proxies.  Have you ever had that sinking feeling when looking at firewall rules or web usage and you have noticed that your firewall rule allows the Internet to access your proxy server.  Your monthly usage has increased hundred fold, or of the 500 people in your organisation 9,876 of them are currently using your proxy server?

Open proxies, unless deliberately deployed are typically mis-configured firewalls, proxy servers or web servers, but can also be the result of a compromise or malware.   It is a convenient avenue to browse anonymously and can be used to propagate things such as undesirable content. Ports 3128 and 8080 are one of the most scanned ports.  As many of you will know there are sites that will happily publish the IP  address and ports of open proxies.  

In many countries the use of an open proxy may be considered illegal as you are using someone else's computer, often without their knowledge.   The company/person whose computer is being used as an open proxy may in some jurisdictions also be in breach of some laws, especially if it is being used to propagate child porn or is being used in other criminal activity (Am not a lawyer, so get legal advice if you use open proxies or find one in your network and need to know for sure).  

If not patching today, maybe make today your "check for open proxies in my network day".

Mark H 

2 comment(s)


As a service provider I specifically block traffic destined to my residential users using common default proxy ports (8000, 8080, 8081, 7212 (GhostSurf), 6588 (WinGate) and 3128 Squid)). I also block traffic from those same users on the latter 3 ports. The hit count on those ports is phenomenal. This lets me 1) identify and block sources of proxy scans on the Internet, 2) prevent my users' proxy server misconfigurations from coming back to haunt them, and 3) prevent my infected users from being launching pads for attackers routing traffic through external proxies or scanning for additional open proxies. These ACL entries couples with SMTP blocks reduce our abuse reports by about 90%.
good stuff

Diary Archives