Evaluating server-side internet proxy detection methods An MSc thesis presented to the Cybersecurity Academy * in partial fulfilment of the requirement for the degree of Master of Cybersecurity Author: J.M. (Hans) Hoogstraaten Supervisors: Dr ir. P. Burghouwt (Pieter) Prof. Dr ir. J. van den Berg (Jan) Version: 1.1 final Date: 10 November 2018 * The Cybersecurity Academy is a joint initiative of Delft University of Technology, Leiden University, and The Hague University of Applied Sciences. CONTENT Content....................................................................................................................................... 2 List of figures .......................................................................................................................... 5 List of tables ........................................................................................................................... 5 1 Introduction ........................................................................................................................ 7 1.1 Problem description .................................................................................................... 7 1.2 Research objective ...................................................................................................... 8 1.3 Research design .......................................................................................................... 8 1.4 Scope ........................................................................................................................... 9 2 Domain description ........................................................................................................... 10 2.1 Proxy characteristics ................................................................................................. 10 2.1.1 Overlay network/ Proxied connections ............................................................... 10 2.1.2 Pseudo source address configurations ................................................................ 10 2.1.3 Multiple IP address setup .................................................................................... 10 2.1.4 Proxying at different protocol layers ................................................................... 11 2.1.5 Routing and other services at the proxy .............................................................. 12 2.1.6 Authentication and encryption ............................................................................ 12 2.1.7 Internal structure overlay network ...................................................................... 12 2.1.8 Reverse proxy/ port forwarding ........................................................................... 13 2.1.9 Ownership ............................................................................................................ 13 2.2 Quantifying accuracy................................................................................................. 13 2.2.1 Estimating the population: a priori odds ............................................................. 13 2.2.2 False positives ...................................................................................................... 14 2.2.3 Available datasets ................................................................................................ 15 2.2.4 False negatives ..................................................................................................... 15 2.2.5 Other criteria ........................................................................................................ 16 2.3 Summary ................................................................................................................... 16 3 Inventory of proxy techniques .......................................................................................... 18 3.1 HTTP proxy ................................................................................................................ 18 3.2 Socket Secure proxy (SOCKS) .................................................................................... 19 3.3 Point-to-Point Tunnelling Protocol (PPTP) ................................................................ 19 3.4 Secure Socket Tunnelling Protocol (SSTP)................................................................. 19 3.5 L2TP ........................................................................................................................... 20 3.6 OpenVPN ................................................................................................................... 20 3.7 IPsec .......................................................................................................................... 21 3.7.1 IPsec over L2TP..................................................................................................... 22 3.7.2 IKEv2 ..................................................................................................................... 22 3.8 The Onion Routing (Tor)............................................................................................ 22 3.9 Other proxy techniques and implementations ......................................................... 22 3.10 Summary ................................................................................................................... 23 4 Inventory of detection techniques.................................................................................... 24 4.1 Introduction .............................................................................................................. 24 4.1.1 Method properties ............................................................................................... 24 4.2 List of known proxies ................................................................................................ 25 2 4.2.1 Temporality .......................................................................................................... 25 4.2.2 Accuracy ............................................................................................................... 26 4.2.3 Properties and success factors ............................................................................. 26 4.3 Information databases .............................................................................................. 26 4.3.1 Residential user vs. datacentres .......................................................................... 27 4.3.2 WHOIS and reverse DNS ...................................................................................... 27 4.3.3 Proxy databases ................................................................................................... 28 4.3.4 Properties and success factors of methods ......................................................... 28 4.4 Port and service scanning ......................................................................................... 30 4.4.1 OpenVPN .............................................................................................................. 30 4.4.2 IPsec ..................................................................................................................... 30 4.4.3 PPTP ..................................................................................................................... 30 4.4.4 Other scan techniques ......................................................................................... 31 4.4.5 Port and service scan databases .......................................................................... 31 4.4.6 Properties and success factors of methods ......................................................... 31 4.5 Latency and timing .................................................................................................... 33 4.5.1 Round-trip time measurements ........................................................................... 33 4.5.2 Transport-layer round-trip time ........................................................................... 36 4.5.3 Application-layer round-trip time ........................................................................ 39 4.5.4 Probing IP addresses ............................................................................................ 40 4.5.5 Triangulation of third-party measurements ........................................................ 40 4.5.6 Comparing times .................................................................................................. 40 4.5.7 Related research .................................................................................................. 42 4.5.8 Properties and success factors ............................................................................. 43 4.6 MTU size .................................................................................................................... 44 4.6.1 Maximum Transmission Unit ............................................................................... 44 4.6.2 TCP Maximum Segment Size ................................................................................ 44 4.6.3 Properties and success factors ............................................................................. 45 4.7 HTTP header fields .................................................................................................... 45 4.7.1 Properties and success factors ............................................................................. 46 4.8 Summary ..................................................................................................................