Fingerprinting reverse proxies using timing analysis of TCP flows
Loading...
Authors
Weant, Matthew S.
Subjects
Active Measurement, Timing Analysis, Reverse Proxy, Fingerprinting
Advisors
Xie, Geoffrey
Beverly, Robert
Date of Issue
2013-09
Date
Sep-13
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
Reverse proxy servers are valuable assets to defend outside hosts from seeing the internal network structure upon which the reverse proxy is serving. They are frequently used to protect valuable files, systems, and internal users from external users while still providing services to outside hosts. Another aspect of reverse proxies is that they can be installed remotely by malicious
actors onto compromised machines in order to service malicious content while masking
where the content is truly hosted. Reverse proxies interact over the HyperText Transfer Protocol
(HTTP), which is delivered via the Transmission Control Protocol (TCP). TCP flows provide
various details regarding connections between an end host and a server. One such detail is the
timestamp of each packet delivery. Concurrent timestamps may be used to calculate round trip
times with some scrutiny. Previous work in timing analysis suggests that active HTTP probes
to servers can be analyzed at the originating host in order to classify servers as reverse proxies
or otherwise. We collect TCP session data from a variety of global vantage points, actively
probing a list of servers with a goal of developing an effective classifier to discern whether each
server is a reverse proxy or not based on the timing of packet round trip times.
Type
Thesis
Description
Series/Report No
Department
Computer Science
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.