September 21st, 2020

Anonymous Proxies Unmasked – Every 15 Minutes

Are you concerned about users connecting to your website through an anonymizing proxy?

You should be. Because while not all proxy users are malicious, they’re all trying to hide something.

It might be something benign, like a privacy-conscious user shielding their online activities from marketers.

But it could also be a bad actor hiding something dishonest or even destructive behind that anonymity.

If your online business involves geographic restrictions of any kind, for example – streaming media with geofenced content, or gaming that is only licensed for users from specific states or countries – an anonymous user may be hiding their non-eligible location to bypass restrictions and access your content. That puts you at risk of contractual or regulatory violations.

Or they could be hiding their IP details because they’re engaged in truly malicious activities that threaten any business or network:

  • Perpetrating new account or credit card fraud
  • Propagating malware, possibly including proxy malware
  • Using multiple proxy servers to launch a powerful DDoS attack against your site – the “new normal” for such attacks.

These are all good reasons to be concerned about anonymous proxy connections – and why you need to be able to identify them as they connect to your website so you can flag them and monitor their activities, or simply block access.

Unfortunately, though, identifying proxy connections is not a trivial job.

True, most proxies are publicly advertised and readily available on the open Internet. You don’t have to visit the dark web to find them, or obtain bitcoins to purchase them – if you have to purchase one at all. Many are free, and they’re easy to find for anyone interested.

But for obvious reasons, they don’t announce themselves when they connect to your website. And there’s no single reliable tool or technique to detect them easily and quickly.

Nor is there any definitive public catalog of proxy servers. Even if there were, it would be out of date as soon as it was created. Like everything on the Internet, proxy servers are in a constant state of change. New ones become active, active ones close down, and formerly inactive ones come back to life.

So how can your security team reliably identify currently active anonymous proxies quickly enough to prevent damage?

Answer: the Anonymous Proxy feed, one of the Neustar UltraThreat Feeds that provide IT security teams with the exclusive data solutions they need to counter a range of threats, from malicious DGAs to DNS tunneling to phishing activity.

The Anonymous Proxy feed is delivered every 15 minutes with data on new proxy sites and status changes for existing proxies, updating a master file and reducing mean time to detection to near real time.

The feed ensures your security team has the most current and complete information available to identify anonymous connections arriving at your website – along with additional insights to help guide disposition strategies. It includes:

  • IP address, in both conventional dotted decimal and integer formats
  • Anonymizing level (elite or transparent), to gauge how serious the user is about hiding
  • Current status (active or inactive)
  • Date and time the proxy was tested, and the date it was last active.

The anonymous proxy file is provided in CSV format. It can be fed into your SIEM or directly into firewalls to block connections.

Uncovering the data: a dedicated team. When you’re using proxy data to guide decisions about blocking visitors, it has to be as accurate as possible. But that data– particularly current data – doesn’t come easily. As noted above, there is no single, simple tool or technique to identify and track the constantly changing constellation of anonymous proxies.

Fortunately, Neustar has made the job of uncovering anonymous proxies an ongoing priority – and established an unmatched 8-year track record of data, knowledge and expertise, spearheaded by a dedicated team of Network Geography Analysts.

They lead a multi-pronged effort to obtain IP addresses of anonymous proxies through a range of techniques, such as collecting publicly available data from websites and information from anonymous routers like Tor. These techniques deliver a large number of IP addresses that could be anonymous proxies.

The only way to confirm their status, however, is to test them – which the team does constantly, both with automated tools and manual processes. Because we require strong evidence that an IP address is currently active, we also work to eliminate false positives by looking for additional signs that it is in use. The analysis and decision-making process requires informed judgment, and our analysts have the experience to make the call.

Because the status of proxies changes all the time, testing and analysis of a given address is not a one-and-done effort. IPs are regularly retested to confirm whether they are active on inactive. In addition, recipients of the feed provide feedback on IPs for retesting and confirmation – and the resulting insights become part of the knowledge base, and are incorporated into the next feed.

This degree of dedication, coupled with tested, refined techniques guided by years of experience, ensures that the proxy data you receive is as accurate as possible. But then, when you’re identifying potentially malicious actors trying to take advantage of your online business – or worse, take it out – you need nothing less.

The Anonymous Proxy feed is just one of the valuable threat feeds Neustar offers IT security teams to help them protect their brand, defend their domain and mitigate fraud. If you’d like to learn more about how you can incorporate these timely, DNS-derived insights into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036