Geoff Jones 16 June, 2011

How To Detect Transparent Proxies

Ever wondered if your web traffic is being silently intercepted by a transparent proxy? Chances are if you are running on mobile broadband your provider will be saving bandwidth, by rerouting your traffic to cache content and perform image compression. You may come across transparent proxies used for logging purposes, AUP enforcement and sometimes evil (http://www.ex-parrot.com/pete/upside-down-ternet.html - the old trick of inverting all images on a web page).

The attached Perl script is designed to highlight the existence of a transparent proxy, using three common methods:

1.) Check to see whether an intercepting proxy does a DNS lookup on a fake host header*;
2.) Check to see whether the HTTP (TRACE) request headers are modified between the client and server;
3.) Check to see whether a TCP traceroute on port 25 returns a different path to port 80.

The first two checks can obviously be run as a limited user (on any platform), though the final check requires a TCP capable traceroute program and therefore root privileges to facilitate arbitrary TTLs. 

Please get in touch if you know of other methods of detecting transparent proxies or can suggest improvements. Currently there is a remote possibility that a proxy does actually exist but is not detected. In these cases the proxy has not modified request headers, it hasn't done a lookup on the host header, and the conducted traceroutes appear sane. For further information, read here.

Download the script here.

* There are several interesting attacks that can be launched against (and from) the proxy if DNS resolution is carried out in this way. If you find a vulnerable server, I'd suggest you take a read of this paper for ideas - TransparentProxyAbuse.pdf

Improve your security

Our experienced team will identify and address your most critical information security concerns.