Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services (2403.02445v1)

Published 4 Mar 2024 in cs.CR

Abstract: Free-proxies have been widespread since the early days of the Web, helping users bypass geo-blocked content and conceal their IP addresses. Various proxy providers promise faster Internet or increased privacy while advertising their lists comprised of hundreds of readily available free proxies. However, while paid proxy services advertise the support of encrypted connections and high stability, free proxies often lack such guarantees, making them prone to malicious activities such as eavesdropping or modifying content. Furthermore, there is a market that encourages exploiting devices to install proxies. In this paper, we present a 30-month longitudinal study analyzing the stability, security, and potential manipulation of free web proxies that we collected from 11 providers. Our collection resulted in over 640,600 proxies, that we cumulatively tested daily. We find that only 34.5% of proxies were active at least once during our tests, showcasing the general instability of free proxies. Geographically, a majority of proxies originate from the US and China. Leveraging the Shodan search engine, we identified 4,452 distinct vulnerabilities on the proxies' IP addresses, including 1,755 vulnerabilities that allow unauthorized remote code execution and 2,036 that enable privilege escalation on the host device. Through the software analysis on the proxies' IP addresses, we find that 42,206 of them appear to run on MikroTik routers. Worryingly, we also discovered 16,923 proxies that manipulate content, indicating potential malicious intent by proxy owners. Ultimately, our research reveals that the use of free web proxies poses significant risks to users' privacy and security. The instability, vulnerabilities, and potential for malicious actions uncovered in our analysis lead us to strongly caution users against relying on free proxies.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security (2014), pp. 674–689. https://doi.org/10.1145/2660267.2660347.
  2. Iot and the risk of internet exposure: Risk assessment using shodan queries. In 2019 IEEE 20th International Symposium on” A World of Wireless, Mobile and Multimedia Networks”(WoWMoM) (2019), IEEE, pp. 1–5. https://doi.org/10.1109/WoWMoM.2019.8792986.
  3. Empirical scanning analysis of censys and shodan. NDSS Symposium (2021). URL: https://www.ndsssymposium.org/wp-content/uploads/madweb2021_23009_paper.pdf (Accessed on 02.07.2022).
  4. Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices. International Journal of Critical Infrastructure Protection 7, 2 (2014), 114–123. https://doi.org/10.1016/j.ijcip.2014.03.001.
  5. An investigation of vulnerabilities in smart connected cameras. In 2018 IEEE international conference on pervasive computing and communications workshops (PerCom workshops) (2018), IEEE, pp. 537–542. https://doi.org/10.1109/PERCOMW.2018.8480184.
  6. Badpass: Bots taking advantage of proxy as a service. In Information Security Practice and Experience (Cham, 2022), C. Su, D. Gritzalis, and V. Piuri, Eds., Springer International Publishing, pp. 327–344. https://doi.org/10.1007/978-3-031-21280-2_18.
  7. Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet. IEEE Access 8 (2020), 111368–111380. https://doi.org/10.1109/ACCESS.2020.3000959.
  8. Daigle, B. Data centers around the world: A quick look. United States International Trade Commission: Washington, DC, USA (2021). https://www.usitc.gov/publications/332/executive_briefings/ebot_data_centers_around_the_world.pdf.
  9. The menlo report: Ethical principles guiding information and communication technology research. Tech. rep., US Department of Homeland Security, 2012. https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf.
  10. Measuring {{\{{HTTPS}}\}} adoption on the web. In 26th USENIX security symposium (USENIX security 17) (2017), pp. 1323–1338. https://doi.org/10.5555/3241189.3241292.
  11. FIRST. Common vulnerability scoring system v3.0: Specification document. https://www.first.org/cvss/v3.0/specification-document, 2015.
  12. Log4shell: Rce 0-day exploit found in log4j, a popular java logging package. Blog, December 2021. https://www.lunasec.io/docs/blog/log4j-zero-day/.
  13. Attacks only get better: Password recovery attacks against {{\{{RC4}}\}} in {{\{{TLS}}\}}. In 24th USENIX Security Symposium (USENIX Security 15) (2015), pp. 113–128. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-garman.pdf.
  14. The race to the vulnerable: Measuring the log4j shell incident. arXiv preprint arXiv:2205.02544 (2022). https://doi.org/10.48550/ARXIV.2205.02544.
  15. Hollander, R. How luminati obtains its residential ips. https://web.archive.org/web/20200815175351/https://luminati.io/blog/luminati-network-sdk, 2019.
  16. IP, W. Unauthenticated remote code execution (rce) vulnerability in hikvision ip camera/nvr firmware (cve-2021-36260). https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html, 2021.
  17. An extensive evaluation of the internet’s open proxies. In Proceedings of the 34th Annual Computer Security Applications Conference (2018), pp. 252–265. https://doi.org/10.1145/3274694.3274711.
  18. Resident evil: Understanding residential ip proxy as a dark service. In 2019 IEEE symposium on security and privacy (SP) (2019), IEEE, pp. 1185–1201. https://doi.org/10.1109/SP.2019.00011.
  19. Moring, C. Proxyjacking has entered the chat. https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited, 2023.
  20. Proxytorrent: Untangling the free http (s) proxy ecosystem. In Proceedings of the 2018 World Wide Web Conference (2018), pp. 197–206. https://doi.org/10.1145/3178876.3186086.
  21. Detecting and defending against {{\{{Third-Party}}\}} tracking on the web. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12) (2012), pp. 155–168.
  22. Internet. Our World in Data (2015). https://ourworldindata.org/internet.
  23. Understanding open proxies in the wild. Chaos Communication Camp (2015). https://wills.co.tt/bitbucket/squid.pdf.
  24. Resip host detection: identification of malicious residential ip proxy flows. In 2021 IEEE International Conference on Consumer Electronics (ICCE) (2021), IEEE, pp. 1–6. https://doi.org/10.1109/ICCE50685.2021.9427688.
  25. TrendMicro. Shining a light on the risks of holavpn and luminati. https://web.archive.org/web/20200923073848/https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shining-a-light-on-the-risks-of-holavpn-and-luminati, 2018.
  26. A large-scale analysis of content modification by open http proxies. In NDSS (2018). https://doi.org/10.14722/ndss.2018.23244.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now