Intercepting Proxy Server
What is a Transparent Proxy | Client vs. Server Side Use Cases
What is a Transparent Proxy
A transparent proxy, also known as an inline proxy, intercepting proxy or forced proxy, is a server that intercepts the connection between an end-user or device and the internet. It is called “transparent” because it does so without modifying requests and responses. Squid Transparent Proxy Server is a popular open source transparent proxy tool.
For example, a user on a corporate network may be surfing the Internet. The user requests to view a news article on, and views the same content as they would on their local connection at home.
However, unbeknownst to the user, the news article is delivered not from the origin server, but rather from a transparent proxy running on the corporate network. The user’s experience is exactly the same. However, the user’s employer now has the ability to monitor their behavior, and also restrict access to certain websites.
Example of a transparent proxy deployment
Transparent Proxies and Forced Proxies
Transparent proxies are sometimes known as forced proxies because they can be applied to a user’s connection without any change to their computer’s proxy settings.
As a result, a transparent proxy can be “forced” on a user without their consent or knowledge (although in many cases users are informed about the presence of a proxy). Some websites maintain unofficial transparent proxy lists, to help users become aware they are monitored.
Transparent proxies, by definition, are set up by the operator of a network or a website, and not by the end-user.
Transparent Proxy Settings
When you set up a transparent proxy, some of the common proxy settings are:
Authentication—provides the server with the same credentials as the users behind the proxy
Interception—defines how the proxy should intercept traffic, at the operating system level or at the router level
Caching—defines whether the proxy server should cache content for returning users
Reverse proxy—you can place the proxy in front of a web server to accelerate performance for users (as opposed to setting it to intercept remote access)
Filtering chat, data streaming, torrent threads, etc—configure the transparent proxy not to allow users to access certain protocols or ports
Uses for Transparent Proxy on Client Side
You can deploy a transparent proxy on the client side, meaning that all traffic to and from a client endpoint is intercepted by the proxy. Use cases for client-side transparent proxies include:
Content Filtering
You can use a transparent proxy to filter out unwanted content, defined via proxy settings. For example, when a specific website is requested, the proxy can refrain from forwarding the request to the web server. Instead, it intercepts the connection and displays an error or notice to the user.
Gateway Proxies
You can use a gateway proxy to modify or block network traffic based on rules. For example, a firewall is a transparent proxy, which allows traffic to pass between an internal network and the Internet, but blocks traffic if it violates the firewall’s rule table.
Transparent Caching
If multiple people are accessing the same content from the same location—for example, many students viewing the same news site via their university network—it is more efficient to initially cache the content, and serve it from cache to subsequent users. A transparent proxy can do this for an organization, facility or neighborhood.
Traffic Monitoring
If you operate a network, you can set up a transparent proxy to monitor user traffic and behavior.
Traffic monitoring can also have illegitimate uses—for example, an unscrupulous public wifi operator can monitor user’s connections and steal data and credentials.
Authentication
Public wifi spots and cellular Internet operators sometimes use transparent proxies to force users to authenticate themselves on the network, and agree to terms of service. Only after a user authenticates and agrees, are they allowed to surf.
Users may not realize that even after the initial authentication screen, the entire connection is intercepted and could be monitored by the operator, via the transparent proxy.
Uses for Transparent Proxy on the Server Side
TCP Intercept for DoS Protection
TCP intercept is a type of transparent proxy which you can use to protect a server against a SYN-flood Denial of Service (DoS) attack. It intercepts all traffic to a web server, accepts client requests, and performs a three-way handshake. If successful, it performs a three-way handshake with the server, and joins the two half-connections between client and server.
The TCP intercept watches TCP requests, and waits (typically 30 seconds) for connections to be established. When the number of inactive connections exceeds a certain threshold, the TCP intercept enters “aggressive mode”. In this mode, each new arriving connection causes the oldest inactive connection to be deleted.
This technique is no longer effective against modern, large scale Distributed Denial of Service (DDoS) attacks. Attackers controlling high-powered servers, or millions of zombie computers, can create SYN floods that easily overwhelm a TCP intercept controller.
This is why many organizations are using cloud-based services like Imperva’s DDoS Protection. Cloud-based DDoS services are able to scale up on-demand to handle large scale attacks, and can also protect against other types of DDoS. For example, DDoS services can prevent protocol attacks and application layer attacks, which do not occur at the TCP layer.
Transparent Proxy and CDN for Front-End Optimization
A Content Delivery Network (CDN) is a globally distributed network of proxy servers, which caches and serves content to users near their geographical location.
A CDN, such as Imperva’s Global Content Delivery Network, is a type of transparent proxy operating on the server side, whose purpose is to perform front-end optimization to improve the end-user experience. It intercepts traffic to a web server and instead of letting the user access the origin server directly, it offers the same content from its cache. This results in improved performance for user and reduced system resources required on the server.
How to Block Anonymous Proxy Servers at Your Firewall
Hackers will often hide their identities while attempting to gain unauthorized access to vulnerable servers. If a hacker is using an anonymous proxy server, you can block access via the Windows firewall application. As long as you have the IP address of the proxy server, you can block it by creating a new rule in the firewall. Obtain the IP address of the anonymous proxy server from your Web server’s logs. Log in to your Windows 8 account and then point the mouse at the lower right corner of the desktop. The sidebar menu opens. Click “Control Panel” in the sidebar menu, and then click on “System and Security. ” Click the “Windows Firewall” option. The Firewall screen opens. Click the “Advanced Settings” option, and then click on “Inbound Rules” in the left navigation pane. Click the “New Rule” option. The New Inbound Rule wizard opens. Click the radio button next to the “Custom” option, and then click “Next. ” Click the “All Programs” radio button, and then click the “Next” button. Click the “Protocol Type” drop-down box. Click on “All Ports. ” Click the “Local Port” drop-down box and select the “All Ports” option. Click the “Remote Port” drop-down box. Select the “All Ports” option and click “Next. ” Click the radio button next to the “Any IP Address” option for the Local Ports section, and then click the radio button for “These IP Addresses” in the Remote Ports section. Type the IP address for the anonymous proxy server, click the “Add” button, and then click “Next. ” Click the “Block the Connection” option, and then click “Next. ” Tick the check boxes for all three options: “Domain, ” “Private” and “Public. ” Type a name and description for the new rule; then click the “Finish” button. References Writer Bio Terry Parker is a writer based in Texas. She specializes in writing technical and marketing materials for a wide variety of clients, ranging from small businesses to Fortune 500 companies.
How can hackers bypass proxy servers? – SearchSecurity
Hackers are bypassing proxy servers all the time and doing so for a variety of reasons. In this expert Q&A, Ed Skoudis points out the holes in your protective filtering tools.
How can hackers bypass proxy servers? Does the process require special tools or software, or are holes in the server…
itself needed?
The phrase “bypass proxy servers” can mean several things, depending on how the proxy server is used, so let’s look at a couple of proxy-deployment architectures and their associated bypass methods. To keep this answer to a manageable size, I’m going to focus on HTTP and HTTPS proxies. But keep in mind that the ideas below apply to other protocols as well.
Organizations often have their internal users connect to the Internet through a proxy server. These proxies provide centralized control points for filtering and analysis, potentially even blocking employees from surfing to inappropriate Web sites. As a performance bump, these proxies typically offer caching support as well. So, how do users bypass proxy servers? There are several approaches.
First, a surprising number of corporate networks with outbound proxies allow HTTP and HTTPS to be sent in two ways: either through the proxy itself, or formulated raw from the desktop, avoiding the proxy. Some of these organizations allow this proxy/non-proxy access because of the preponderance of applications — often Java applets — that speak HTTP but are not proxy-aware. To avoid this problem, I prefer to deploy transparent proxies in a network, rather than allow non-proxied Internet access that supports certain applications.
Even with organizations that completely block non-proxied HTTP and HTTPS access, an attacker can still bypass the proxy in a number of ways. To access forbidden sites, an attacker may encode his or her URLs in a variety of different formats, such as the hexadecimal representation of the American Standard Code for Information Interchange (ASCII), rather than the “normal” view. Thus, the Web site becomes%77%77%77%2e%66%6f%72%62%69%64%64%65%6e%73%74%75%66%66%74%6f%61%76%6f%69%64%2e%63%6f%6d. An attacker could also try to use an IP address instead of a domain name, or use Unicode instead of the “hex” representation. There are hundreds of different obscuring routines, and some of them work against various proxies.
To evade the filtering, an attacker can also try a different protocol altogether. One option here is to retrieve Web pages via email, a service offered at several locations on the Internet, such as the free A subscriber can email a URL to the service, and its mail server then fetches the page and emails it back so the subscriber can view it in an HTML-enabled email reader; most email readers, in fact, are HTML-enabled.
Attackers can also access blocked content by surfing through an organization’s outbound proxy to then go to another proxy, through which one can surf. The first proxy only sees the connection to the second one, and the second one doesn’t enable any restrictions. There are thousands of these types of proxies available on the Internet today.
While those are just a few of the most popular methods for bypassing filtering proxies, what if an attacker’s goal isn’t to dodge filtering proxies, but instead to steal outbound data using HTTP and/or HTTPS? The attacker, for example, might have some spyware running inside an organization, and a Web site running on the outside, hoping to somehow spew internal data to the external server. The only obstacle is a pesky little proxy. In this scenario, where the attacker controls the client and the server, the attacker can simply try another TCP port, or use a variety of tools that try to tunnel data through the proxy.
Another use of proxy servers involves inbound access, the so-called “reverse proxy” deployment. This architecture offers protective filtering, analysis and authentication capabilities for a Web server. To bypass these proxies, attackers can rely on non-standard ports or tunneling tricks, or they can attack the proxy server itself.
Historically, some proxy technologies have suffered from configuration errors or buffer-overflow conditions. By exploiting these flaws, an attacker might be able to take over the proxy device itself, and then reconfigure it so that he or she can get unfettered access to a protected server.
This was last published in April 2007
Dig Deeper on Real-time network monitoring and forensics
HTTP (Hypertext Transfer Protocol)
By: Wesley Chai
Web application firewall (WAF)
By: Ben Lutkevich
Input validation issues open Cisco firewall vulnerability
How does a WPAD attack work and how can it be prevented?
By: Michael Cobb
Related Q&A from Ed Skoudis
How to combat the top 5 enterprise social media risks in business
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology.
Continue Reading
Can a hacker actually post malicious scripts to any server using a drop-down list?
By viewing a page’s HTML source code and writing malicious scripts to a drop-down list, hackers may be able to re-post the malicous page to the…
What software development practices prevent input validation attacks?
Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A…
Continue Reading
Frequently Asked Questions about intercepting proxy server
Can you block proxy server?
As long as you have the IP address of the proxy server, you can block it by creating a new rule in the firewall. Obtain the IP address of the anonymous proxy server from your Web server’s logs.
Can proxy server be hacked?
Attackers can also access blocked content by surfing through an organization’s outbound proxy to then go to another proxy, through which one can surf. … To bypass these proxies, attackers can rely on non-standard ports or tunneling tricks, or they can attack the proxy server itself.
Is it illegal to use a proxy server?
Yes, it is legal to use a proxy server. Proxies have many different uses, including enabling remote work; setting up a support system for users who are located outside a particular network; protecting networks and Internet users from malicious content; streaming online content from outside a country and more.
