background web proxies
play

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes - PowerPoint PPT Presentation

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes


  1. Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu

  2. Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained are distinguishable may be heavily abused Service blocking or degradation

  3. Background: Residential IP Proxy as a Service

  4. Background: Residential IP Proxy as a Service Millions of Clean IPs, Residential IPs Never Get Blocked Globally No Distributed Tra ffi c Limits

  5. Outline Service Service Service Service Service Service Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Network Structure & Scale & Distribution Overview Overview Overview Overview Overview Overview Residential Residential Residential Residential Residential Residential Are proxy peers Are proxy peers Are proxy peers Are proxy peers Are proxy peers Are proxy peers or Not or Not authentically residential IP addresses? authentically residential IP addresses? authentically residential IP addresses? or Not authentically residential IP addresses? authentically residential IP addresses? authentically residential IP addresses? or Not or Not or Not How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or How well can proxy peers evade traffic detection or Evasiveness Evasiveness Evasiveness Evasiveness Evasiveness Evasiveness blocking? blocking? blocking? blocking? blocking? blocking? Recruitment Recruitment Recruitment How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? Recruitment Recruitment Recruitment How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? How can millions of proxy peers get recruited? Usage Usage Usage What are those proxies used for, in the real world? What are those proxies used for, in the real world? Usage Usage Usage What are those proxies used for, in the real world? What are those proxies used for, in the real world? What are those proxies used for, in the real world? What are those proxies used for, in the real world? Misc. Findings Misc. Findings Misc. Findings Collusion, Local traffic, etc. Collusion, Local traffic, etc. Collusion, Local traffic, etc. Misc. Findings Misc. Findings Misc. Findings Collusion, Local traffic, etc. Collusion, Local traffic, etc. Collusion, Local traffic, etc.

  6. Service Overview: How it works facebook.com google.com amazon.com Scripts Proxy Gateways Proxy Customer Destinations Residential Proxy Peers

  7. Service Overview: How it works Back-connect proxy model, proxy peers are hidden from customers HTTP/HTTPS/SOCKS Multiple rotating strategies: sticky & non-sticky Proxy Gateways Allow customers to customize location of proxy peers Residential Proxy Peers

  8. Service Overview: Scale Http Request Http Request Controlled Purchased Controlled Web Clients RPaaS Networks Web/DNS Servers Http Response Http Response Each request is identified Each request/response by a unique subdomain has payload encrypted and signed Provier Price Payment Infiltration Period Proxies Online $25/GB Paypal 07/06/2017 - 11/24/2017 Geosurf $300/month Paypal 09/17/2017 - 10/22/2017 ProxyRack $40/month Bitcoin 09/18/2017 - 11/24/2017 Luminati $500/month Paypal 09/25/2017 - 11/01/2017 IAPS Security $500/month Bitcoin 09/23/2017 - 11/01/2017

  9. Service Overview: Scale Http Request Http Request Controlled Purchased Controlled Web Clients RPaaS Networks Web/DNS Servers Http Response Http Response Each request is identified Each request/response by a unique subdomain has payload encrypted and signed 60+ millions of successful probes 6.2 millions of unique IPv4 addresses 238 countries/regions, 52K+ ISPs.

  10. Service Overview: Distribution 4096 * 4096 bitmap Each /24 IPv4 prefix is mapped to a pixel, using Hilbert curve of order 12 Di ff erent pixel colors denote # of proxy IPs for a given /24 prefix

  11. Service Overview: Distribution

  12. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs GT sources of various noise levels Clean GT for training, noisy for evaluation # IPs 
 # /16 Source Label # /8 # Training Manual resi-clean 79 25 19 79 Device Search Engine resi-clean 89,345 13,525 195 9,921 Trace My IP resi-noisy 37,480 11,402 213 0 Filtered IP Whois resi-noisy 23,264,961 394 31 0 IoT Botnets resi-noisy 1,699,291 20,112 200 0 Public Clouds non-resi-clean 53,716,321 968 99 5,000 Alexa Top1M non-resi-clean 442,989 14,365 213 4,481 Commercial Proxies non-resi-clean 519 71 44 519 non-resi-noisy 148,509 14,004 204 0 Public Proxies

  13. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs Residential IPs/prefixes are usually Residential IPs/prefixes tend to be web clients instead of servers directly managed by ISPs Capture web activities 35 features Capture network hierarchy DNS Records & For example, number of Capture Historical IP Whois TLD+3 domains mapped to evolution by time the parent /24 IP prefix

  14. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs Random Forest Classifier ML Classifier Training/Tuning Recall: 97.12% 10K residential & Precision: 95.61% 10K non-residential IPs

  15. Residential or Not Find Select Train/Evaluate Predict Groundtruth Features Classifiers Proxy IPs 5.9M (95.22%) of 6.2M predicted as residential IPs

  16. Evasiveness Recognized as Identified as proxy? malicious?

  17. Evasiveness Recognized as Identified as proxy? malicious? Tor relays Free web proxies Only 0.06% of 6.2M IPs IP2Proxy LITE Publicly available proxy dataset

  18. Evasiveness Recognized as Identified as proxy? malicious? Botnet bots Only 2.20% of 6.2M IPs Spamhaus EDROP Open Threat Exchanges Publicly available IP threats

  19. Recruitment Identify legitimate Are those proxy peers voluntary users? recruitment programs Any IoT devices? IP Profiling Identify What programs are used to proxy tra ffi c? proxy programs

  20. Recruitment Identify legitimate recruitment programs Only Luminati was found to recruit users through Hola programs IP Profiling And Hola programs were reported as problematic in previous studies Identify proxy programs

  21. Recruitment 550K got 730K IPs responded to device type identified our banner grabbing Identify legitimate All providers got suspicious IoT devices recruitment programs identified for their proxy IPs, including Luminati Num Num Device Type (%) Device Vendor (%) router MikroTik 114,768 48.42 86,593 36.53 firewall Huawei 25,088 10.58 37,545 15.84 IP Profiling WAP BusyBox 24,470 10.32 18,337 7.74 gateway Technicolor 22,003 9.28 16,866 7.12 broadband SonicWall 17,358 7.32 14,122 5.96 router router webcam Fortinet 13,024 5.49 9,190 3.88 security-misc Dahua 10,608 4.48 6,258 2.64 Identify DVR ZyXEL 4,249 1.79 5,601 2.36 media device proxy programs AVM 2,589 1.09 5,272 2.22 storage-misc Cyberoam 1,988 0.84 4,558 1.92

  22. Recruitment Accurate Identify legitimate Correlation recruitment programs Tra ffi c logs of Tra ffi c logs of potentially Infiltration probes unwanted programs (PUP) 67 PUP samples identified IP Profiling Proxy programs are found for all 5 providers Identify 50 of them were flagged by anti-virus engines proxy programs

  23. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Phishing 14% ntkrnlpa.cn, gwf-bd.com, Malware fadergolf.com, 47% www.2345jiasu.com, www.pf11.com, Malicious 39%

  24. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% 60% Value Axis 40% 20% 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

  25. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% A ffi liate networks : tracking.sumatoad.com, 60% click.howdoesin.net, www.alexacn.cc, and click.gowadogo.com. Value Axis 40% Mobile advertising, in-app advertising, video advertising, ad exchanges: ads.stickyadstv.com, counter.yadro.ru, and 20% adskpak.com. 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

  26. Usage For the 67 proxy programs, 5M tra ffi c logs were sampled to study usage 9.36% of the destinations were reported to be malicious by VirusTotal Top 1000 tra ffi c destinations were manually studied. 80% 75% 60% Value Axis 40% Google Search, Bing Search, Baidu Search, Yandex 20% 8% 7% 5% 2% 1% 0% AD SE Shopping Malicious Social Other

Recommend


More recommend