RevProbe: Detecting Silent Reverse Proxies in Malicious Server Infrastructures

November 29, 2016

Antonio Nappa


RevProbe: Detecting Silent Reverse Proxies in Malicious Server Infrastructures

Time:   11:00am
Location:   Meeting room 302 (Mountain View), level 3

Web service operators set up reverse proxies to interpose the com- munication between clients and origin servers for load-balancing traffic across servers, caching content, and filtering attacks. Silent reverse proxies, which do not reveal their proxy role to the client, are of particular interest since malicious infrastructures can use them to hide the existence of the origin servers, adding an indi- rection layer that helps protecting origin servers from identification and take-downs.

We present RevProbe, a state-of-the-art tool for automatically detecting silent reverse proxies and identifying the server infras- tructure behind them. RevProbe uses active probing to send re- quests to a target IP address and analyzes the responses looking for discrepancies indicating that the IP address corresponds to a reverse proxy. We extensively test RevProbe showing that it significantly outperforms existing tools. Then, we apply RevProbe to perform the first study on the usage of silent reverse proxies in both benign and malicious Web services. RevProbe identifies that 12% of mali- cious IP addresses correspond to reverse proxies, furthermore 85% of those are silent (compared to 52% for benign reverse proxies).