Log Files and Detecting the Attacker
| | ||
| | ||
| | ||
Most HTTP servers log all access to them.
| Definition | Log files are special text files, in which a system stores records about particular events. |
For example, HTTP servers store the following information in their log files: the IP address of the remote user , the requested document with all parameters of the HTTP GET request, the type of the remote user's browser (possibly), and some other data.
If an attack is detected , it is theoretically possible to find, from which IP address the attack was launched, and then find the attacker. In addition, it is possible to find, which scripts were attacked .
In practice, the attacker can conceal his or her IP address by using a proxy server. A proxy server is a server logically located between the user and the target server. Proxy servers originally were created for caching to speed up access to information. Now, they are used by hackers who want to conceal their IP addresses when launching network attacks.
Because the connection to the server is made using a proxy server, the logs of the target server contain the IP address of the proxy server.
Proxy servers can be anonymous and nonanonymous. An anonymous proxy server doesn't send the client's IP addresses in any headers of the HTTP request. A nonanonymous proxy server does. For example, it can send the client's IP addresses in the X_FORWARDED_FOR , field.
| Warning | Even if a user connects to the HTTP server using a nonanonymous proxy server, the logs of the HTTP server will most likely contain the IP address of the proxy server. The script that receives the contents of the HTTP request headers can theoretically (and practically) find a possible IP address of the client. |
In Chapter 2 devoted to vulnerabilities in scripts, I demonstrated a method for forging X_FORWARDED_FOR , and other headers to divulge a script that finds the clients ' IP addresses from these headers.
An anonymous proxy server can include information about itself in a header of the HTTP request. In other words, the target server cannot find the actual IP address of a client, but it knows that the connection is made using the proxy server.
A proxy server that doesn't send any information about itself, and the actual IP address of a client is called absolutely anonymous. If the attacker uses an absolutely anonymous proxy server, the HTTP server cannot detect the presence of a proxy server from an HTTP request.
Consider examples of HTTP requests made directly and using a nonanonymous, anonymous, and absolutely anonymous proxy server.
| Direct request |
|---|
GET /index.html HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 3000 Connection: keep-alive |
| Request using a nonanonymous proxy server |
|---|
GET /index.html HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Http-Via=1.0 proxy.proxy.ru:3128 (squid/2.5.STABLE6) Http-X-Forwarded-For=11.22.33.44 Keep-Alive: 3000 Connection: keep-alive |
| Request using an anonymous proxy server |
|---|
GET /index.html HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Http-Via=1.0 proxy.proxy.ru:3128 (squid/2.5.STABLE6) Http-X-Forwarded-For=127.0.0.1 Keep-Alive: 3000 Connection: keep-alive |
| Request using an absolutely anonymous proxy server |
|---|
GET /index.html HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 3000 Connection: keep-alive |
Although the anonymous proxy server doesn't send information about the actual IP address of the client to the HTTP server, it is theoretically possible to find the person who made the HTTP request. A state organization can require the owners of the proxy server to show all log files, can find the actual IP address of the client, and, therefore, can find the attacker.
To complicate tracing of his or her IP address, the attacker could use a chain of proxy servers. In such a case, the logs of each proxy server would contain the IP address of the previous proxy server in the chain.
The attacker can use special programs to build chains of Socks proxy servers and HTTPS proxy servers supporting the CONNECT method. For example, the attacker can use SocksChains . This application works as a Socks proxy server and builds a chain of other proxies. It allows the user to specify a target address for the chain, so it can be used to create a chain of Socks proxy servers for applications that don't support work with proxy servers.
The attacker can use this application to arrange a connection using a proxy chain for any protocol that uses a TCP connection.
| Warning | FTP uses several connections; therefore, SocksChains doesn't allow the user to send files using FTP through a chain of Socks proxy servers. |
| | ||
| | ||
| | ||
