Why People Change Their IP Addresses

If you want to access the internet then you’ll need an IP address, otherwise you won’t be able to connect to anything.  That funny little network address is essential in order for you to do anything online simply because no computer would ever be able to find you.

streaming UK TV

For most us that address is assigned directly from our ISP when we connect up to the internet.  Each device is allocated an address from a range and it will use it to communicate online.  For many of us that address will not change for weeks on end and forms the basis of  our digital profile while we use the internet.

So why would we want to change this address? Why isn’t the IP address we’re assigned good enough?  Well the simple fact is that although you have little say in how your IP address is assigned, it does actually affect what you can do online quite significantly.   Your address is also used to determine your location which can also have an impact on your online experience.

Take a look at this brief video entitled Online IP changer and you can see some of the situations where it’s actually useful to have the ability to change your own IP address,

As you can see from the demonstration, your address is actually used to block and filter what you access online. SO for example many of the world’s best media site only allow access to their domestic markets. So to watch Hulu or HBO you have to be physically based in the US for example. Even if you are from the US and travel abroad, suddenly you’ll lose access to resources that you were previously able to access without issue. This is because you cannot take your IP address with you when you travel, well at least under normal circumstances.
As soon as you travel to France for instance, you’ll be consider a French person as you’ll have an IP address registered there. Which means you will get blocked if you access a US only website.

This is why proxies and VPNs are so important now as they give people some control over their digital identities. Anyone can use an intermediate server based in a different country in order to hide their location. So a US traveller could connect through a US proxy and enjoy the same access to US media sites that he had previously.

Proxies and IP Cloaking

Many people think  that all IP addresses are pretty much the same.  Of course, the numbers change but fundamentally one address is very much like another.  To some extent if we roll back the clock a couple of decades that would be true but in the new era of the internet – your IP address says quite a bit about you.

IT’s difficult to imaging that those random looking numbers in the format 192.168.1.1 have any real significance, but i’s actually become more important.  For example if you have the IP address – 23.248.183.211 I could easily determine a few facts including your location and who you use as an internet provider.

ip cloaking proxies

The specified address for example comes from a range assigned to Nigeria, so anyone using it is based in Nigeria or relaying through a server based there.  As it’s unlikely anyone would get any real advantage from using a Nigerian IP address then it’s probably that’s their real location.  Although some people do use Nigerian proxies for various semi-legal or criminal activities simply because law enforcement standards are fairly low there.

Websites will use this information for all sorts of reasons, although commonly marketing is the main driver.  Although IP addresses are also used extensively to restrict access.  For example if you try and post an advert on a US Craigslist site with a Nigerian IP address then you’ll simply get blocked.

Our IP addresses control what we can access and to some extent our online experience.  A digital entrepreneur from somewhere like India or Nigeria will have a much harder time than one from Chicago for example.  Access to marketing sites, advertising and payment processors will be much more difficult.  Nigeria’s reputation for online scams and fraud unfortunately makes life much more difficult for all their honest entrepreneurs too.

Which is why many such people use proxies in order to hide their true IP address and take advantage of a new one.  Our digital marketer in Nigeria may for example want to buy lots of trendy US merchandise to import and resell online, he won’t have much luck with a Nigerian address.  However by renting a proxy he can operate online with a UK or European address quite easily.  He may get to a more advanced level and use rotating residential proxies to buy stock from restricted releases like concert tickets or sneakers.

This in just one example but it illustrates the growing market in private proxies and VPNs designed to allow people to operate without these restrictions online.  Business people aren’t the only ones which use these services to hide their location.  There’s an even bigger market for ordinary people who just want to access movies, films and videos which are also blocked based on your location.  This post illustrates how a special method using name resolution and proxies can be used to access the BBC online – check it out it’s called BBC iPlayer DNS.  The method involves routing selected packets through a UK proxy based on specific DNS requests.  So the DNS server would wait until it sees a request for a geo-restricted site like the BBC only then route through a UK server so it worked properly.

 

DNS Considerations When Migrating Hosts

When migrating web host to a different hosting service’s server or modifying the server’s IP address, the most important factor to consider to guarantee to maintain schedule of the sites hosted on the server, decrease the downtime of the website, prevent strange difficulties such as emails get delivered to either server randomly, or browsing at old server, is how fast DNS (Domain Name System) will be able to check out or fix hostname or domain into your brand-new IP address, instead of the old IP address. Unfortunately, webmasters have actually limited ability to control or bypass the DNS propagation process. Nevertheless, there are still a few ideas, techniques and workarounds that guarantee DNS cache will refresh the new IP addresses as soon as possible.

DNS acts in such as aside that when an ask for IP address received by DNS resolver, it will then query the root hosts to discover the authorized server with comprehensive understanding of the specific domain name. If a legitimate IP address for the domain is returned by the reliable server, the DNS resolver will cache the DNS proliferation for a provided time period called TTL (Time To Live) after an effective reply, in what called DNS caching in order to decrease the load on specific DNS server. DNS caching provides resolution of domain to IP to happen locally using the cached info rather than querying the remote server for subsequent requests, till the TTL period expires.

The Time-To-Live (TTL) timer is the trick to ensure that the DNS cache ends immediately and all of the time remains fresh. TTL is specified by domain administrator in the authoritative DNS server for the zone wherever information stems, and its worths inform DNS caching resolvers to end and get rid of the DNS records after TTL seconds. Lowering the TTL value will make it possible for quick expiration and revitalizing of DNS records, making the new records to propagate faster across the world. Still, the technique demands the name resolvers comply the RFC standards, which most do. Alongside, you must have complete control to alter the name server reliable for your domains.

The tweaking of TTL in DNS records need to be done a number of days prior to it will alter (date of server moving or IP change) to guarantee that all DNS caching resolvers picks up the fresh TTL value and expires the old longer worth. The trick will cut down the TTL in anticipation of the alteration to reduce disparity during the modification, inning accordance with RCF 1034.

TTL is defined by Minimum field in SOA (Start of Authority) type as default TTL, or individually at each record as TTL. RCF 1912 explains the Minimum field in details as listed below:

Minimum: The default TTL (time-to-live) for resource records (RR)– for how long information will remain in other nameservers’ cache. ([ RFC 1035] specifies this to be the minimum value, but servers seem to always execute this as the default worth) This is by far the most essential timer. Set this as large as is comfortable provided how typically you update your nameserver. Remember if you’re routing your connection through any other intermediary then name resolution can be effected.  For example if you’re using something like a VPN or ATC proxy then the DNS servers may change from the client configuration.

If you plan to make major modifications, it’s a smart idea to turn this value down temporarily ahead of time. Then wait the previous minimum worth, make your modifications, confirm their correctness, and turn this worth back up. 1-5 days are typical values. Remember this value can be bypassed on individual resource records.  Which is the way some Smart DNS solutions create specific records to bypass region blocks, you can see an example in this post about accessing US Netflix.

If you are utilizing a web-based or GUI to manage your domain’s DNS records, and after that visit to the system, and edit the SOA records. Inside you’ll see a field called Minimum, change the value to as low as possible (in seconds), such as 300 for timeout every 5 minutes. Then alter the TTL for all the A, MX, CNAME, TXT, SOA, PTR and other records, if appropriate.

If you are using cPanel WebHost Manager (WHM), log-in and choose Edit DNS Zone under DNS Functions section. Pick the suitable zone (domain). You’ll be given with a list of records. Modify the minimum ttl in SOA, and TTL column of A, MX, CNAME and other records specified.

For those by hand set up the authoritative nameserver for a domain zone using BIND, modification has to be done in the zone file. For example, so domain zone example.com, you will see the following resource records in the zone file.

Wireless Network Traffic -The Basics

For 802.11b and 802.11g products use the radio frequency in the 2.4Gz band the band used by cordless phones, The 802.11a products use the 5.8Gh band used by the less common group of phones The 11Mps and 54Mps are not what you actually get.

Typical wireless speeds for 802.11b products is about 4-5 Mbps and the 802.11g have an capacity of about 20Mbps and the 802.11a are about 22Mbps.

Just about enough speed for modern applications for example watching BBC TV abroad like in this video.

It’s not uncommon in the computer industry to exaggerate a little about the speed of their devices, after all is a 17-inch monitor really 17 inches, a 80GB disk drive 80 Gigs and I know that modem of yours doesn’t deliver 56Kbps bits to your computer.

The main reason for the wireless speeds inflated rating is that some of it is taken by overhead, and even these lower capacities can be limited by distance-walls and other environmental conditions.

Dual-Band

54 Mbps and 11 Mbps, 8+3 non-overlapping channels, 64 users per access point, 2.4 GHz and 5 GHz Dual-band products – Linksys – WPC55AG – 54Mbps 802.11g/b/a Wireless Cardbus Adapter are a good choice in environments that are just getting started with 802.11b networks but expect that faster speeds will soon be needed.

Dual-band products offer both 802.11b and 802.11a functionality, in both PC Cards USB ports and AP products, enabling WLANs that can accept both types of clients. Dual-band clients automatically search for the best connection as users roam throughout the office or campus environment. Dual-band offers the best of both worlds.

Benefits

Simultaneous operation: Both 802.11a and 802.11b technologies operate side-by-side, without interference. Users can select either band, or both.

Enhanced roaming

The same WLAN adapter can be used in more places, such as home, work, and public hot spots, without configuration changes. Highest density: Up to 11 channels from both protocols are available, supporting more users.

Protects WLAN investment, supports both high- and low-speed network devices. Easier administration: Dual-band units combine two technologies into one, easing administration and support costs in environments where both types of devices are needed. Less interference: Devices have more channel options available.

Many dual-band products feature improved security capabilities, enhancing the WEP standard and offering additional functions such as MAC address filtering.

Where It Should Be Used

Dual-band products offer the best of both worlds

Anywhere there is an existing WLAN infrastructure that may need to accommodate both 802.11a and 802.11b USB devices. Will also support 802.11g devices. Density: Wherever maximum density is needed, dual-band is the right solution. Dual-band products have more channels (11), so they can support more users. This can result in a lower deployment costs.

Flexibility

Dual-band offers maximum wireless speed and maximum range. A single configuration can support both network protocols, reducing the need to support multiple environments or reconfigure client devices as users move between them. This results in lower support costs.

Examples

Include businesses where offices are co-located with warehouses, large campus environments, people traveling between multiple WLAN network types, or any organization that wants to extend existing WLAN to support the other protocol.

Further Reading:
Presentation Tools: Create Videos Quickly

Confused About Wireless Speeds – Standards Archive

Confused about wireless speeds, on your wireless home computer let me explain. All of the important standards are know by Wi-Fi the standards are themselves maintained by a association called Wireless Ethernet Compatibility Alliance (WECA) interoperability among the various products is a good thing.

One of the first standard to hit the market and still the most popular is called 802.11b with a rated speed of 11 Mbps – mega bits per second A standard for 802.11a, it is rated at 54Mbps – 25 Mbps – when .11b is not present and yes, “b” came before “a”

The newest product on the block with an increase in wireless speed 802.11g which is rated at 54Mbp unless you install a 802.11b card (11Mbps) , then the speed drops to the slowest device 802.11b, but they are compatible with 802.11b network interface (NIC) cards.

They should also have no problems or issues with using standard protocols such as TCP/IP which has a reliable connection and delivery protocol.  You can use them on servers and multihomed devices such as rotating proxies

Because of backward compatibility, older and slower 802.11b radio cards can interface directly with an 802.11g access point and vice versa at 11Mbps or lower wireless speeds , depending upon the range.

Quick Tip: The wireless speed gold standard is*802.11g – – the newest, fastest and most powerful kid on the block 802.11 radio technology that broadens bandwidths to 54 Mbps within the 2.4 GHz band.

In other words the two standards work together fine. But if I where installing a new wireless network or adding new wireless pc’s I would use the *802.11g for all of my computers.

We all like speed and no matter how fast we can go, on line or off , we still want to do it faster. When I moved my ISP account from the basic dial up modem (56Kbs) and replaced it with Cable I was one happy computer guy.  Let’s be honest those days are long gone and little basic modems wouldn’t keep up with even a very basic static web site now.

Most people now expect to be able to stream directly irrespective of which device they’re on.  How many of us have sat in a cafe or on a bus streaming HD quality video to the small phone in our hand, this takes a serious amount of bandwidth even if you have access to a 4G network.  I know for a fact that many people on my early morning train sit and watch the BBC on a VPN (we’re outside UK) using the wireless access point provided on the train.

Quick Tip: Troubleshooting cabling performance If you’re experiencing connection problems- check the following

So as far as wireless speed and wired networks are concerned…

    • Look for sources of interference, such as power outlets, fluorescent lights, power supplies, and coiled or extra-long cables.
    • Make sure all cable connections are secure. Check the link light on the network card – Nic – the devices you are connecting with each cable.
    • Make sure you have used the correct type of cables, either straight-through or crossover. Check hardware setup instructions to verify which cable you might need.
    • Be sure that you have not used a telephone cable in an Ethernet cable port.

The speed chain of command goes like this…

  • Fiber optic cable Uses light 186,000 MilesPsec, that’s fast The speed of light depends on the material that the light moves through – for example: light moves slower in water – glass and through the atmosphere than in a vacuum
  • Coaxial cable uses shielding to keep the signal focused and RG-6 & Cat. 5E 350MHz Dual Cableuses shielding to keep the signal focusedl reduces interference
  • Twisted pair Most commonly used in wired networks – UTP Cat 5e twists the pairs around each other to reduce interference and reinforce the signal

Overview of Parsed Mail Headers

Overview of parsed mail headers

The following is a list of a lot of the most popular mail headers, you can use this information to identify the origins and build these into scripts.
General Mail Details

Header Matching RegExExplanation
From|^from:(.*)|miThe From-address, the person who (allegedly) sent this e-mail.
To|^to:(.*)|miThe To-address, to whom the mail was addressed.
Subject|^subject:(.*)|miThe subject of the e-mail, as shown in the mailclient.
Carbon Copy|^cc:(.*)|miCarbon Copy list of e-mail addresses
MIME Version|^mime\-version:(.*)|miMIME
Return Path|^Return\-Path:(.*)|mReturn Path to which mails would bounce
Reply to|^Reply\-To:(.*)|miA reply to this e-mail would be sent to this address, which is not necessarily the same as the From-address.
Originating IP|^X\-Originating\-IP:(.*)|miThe IP address of the computer on which the email originated.
Originating e-mail|^X\-Originating\-Email:(.*)|mi Another representation of the sender of the email. Some mailers add this as a precaution against those who spoof the "From:" line.
Delivered to|^Delivered\-To:(.*)|miThe account to which the e-mail was finally delivered to.
In reply to|^In\-Reply\-To:(.*)|miThis e-mail message was sent as a reply to this address.
Forwarded to|^X\-Forwarded\-To:(.*)|miThis message was forwarded from another account (probably automatic).
Forwarded for|^X\-Forwarded\-For:(.*)|mi The account which forwarded this e-mail.
References|^References:(.*)|mi
Message Id|^Message\-ID:(.*)|miA unique identifier for this e-mail (at least, in the sending MTA).
HeaderMatching RegExExplanation
Received SPF|^received\-spf:(.*)|miThe received SPF record
Authentication Results|^Authentication\-Results:(.*)|miAuthentication Results (usually SPF related)
Spamcheck Version|^X\-Spam\-Checker\-Version:(.*)|mX-Spam-Checker-Version: which software was used
Spam Status|^X\-Spam\-Status:(.*)|miX-Spam-Status: was this spam?
Scanned by|^X\-Scanned\-By:(.*)|miSoftware used to scan this message.
Virus scanned|^X\-Virus\-Scanned:(.*)|miScanned for virusses.
HeaderMatching RegExExplanation
Accept Language|^Accept\-Language:(.*)|miIndicates the preference with regard to language.
Content Language|^Content\-Language:(.*)|miIndicates the language of the content.
Accept Language|^acceptlanguage:(.*)|mSee: 'Accept-Language'

The following can be traced including if they’re using residential proxies.

HeaderMatching RegExExplanation
MailScanner Information|^X\-NUCLEUS\-MailScanner\-Information:(.*)|miAdditional information on the MailScanner.
Mailscanner ID|^X\-NUCLEUS\-MailScanner\-ID:(.*)|miInternal ID used in MailScanner software.
Mailscanner result|^X\-NUCLEUS\-MailScanner:(.*)|mi Result of the MailScanner process, whether it was spam or not.
Mailscanner spamcheck|^X\-NUCLEUS\-MailScanner\-SpamCheck:(.*)|mi
Mailscanner from|^X\-NUCLEUS\-MailScanner\-From:(.*)|miFrom-header received by MailScanner.
Spamscore|^X\-NUCLEUS\-MailScanner\-SpamScore:(.*)|miIf mail was marked as spam, this will hold the spamscore.
HeaderMatching RegExExplanation
Date Sent|^date:(.*)|miDate at which the e-mail was sent.
Original Arrival Time|^X\-OriginalArrivalTime:(.*)|miThis is a time stamp placed on the message when it first passes through a Microsoft Exchange server.
HeaderMatching RegExExplanation
Content Type|^Content\-Type:(.*)|miThe type of content that is being sent via mail.
Transfer Encoding|^Content\-Transfer\-Encoding:(.*)|miThe encoding used to send the message.
Content class|^Content\-class:(.*)|miAnother MIME header, telling MIME-compliant mail programs what type of content to expect in the message.
Content disposition|^Content\-Disposition:(.*)|miHow the content of the mail should be handled (inline, attachment, ...).
HeaderMatching RegExExplanation
Mailer software |^X\-Mailer:(.*)|miThe mailclient or mailing software used to send out the e-mail.
User Agent |^User\-Agent:(.*)|mi The mailing software that the client has identified himself as.
Mail Priority |^X\-Priority:(.*)|miThe priority with which this e-mail was sent.
Sender |^X\-Sender:(.*)|miA custom header, to show the real sender e-mail address.
Microsoft Mail Priority|^X\-Msmail\-Priority:(.*)|miThe priority as entered in Microsoft Mail.
User Agent|^X\-User\-Agent:(.*)|mi User Agent used to send the e-mail.
Header Matching RegExExplanation
Mime OLE|^X\-MimeOLE:(.*)|mi Mime OLE software used by the sender.
Thread index \-Index:(.*)|miIs used for associating multiple messages to a similar thread. For example, in Outlook the conversation view would use this information to find messages in one conversation thread.
TNEF Correlator|^X\-MS\-TNEF\-Correlator:(.*)|miThe Transport Neutral Encapsulation Format is Microsoft Exchange/Outlook specific, used when sending messages formatted as Rich Text Format (RTF).
Has attachment |^X\-MS\-Has\-Attach:(.*)|miInforms that the client is ready to send attachments and it also informs whether or not the e-mail contains any attachments. If the e-mail contains attachments the information header X-MS-Has-Attach: will say "yes" after colon.
Thread topic |^Thread\-Topic:(.*)|miUsually the original subject, used as the readable version of Thread-Index.
     

Additional@ Using Proxies to watch Match of the Day Stream

 

 

HTTP Authentication and Proxy Configurations

HTTP Authentication Since the reverse proxy server masquerades as a Web server, the authentication required by the reverse proxy is Web server authentication. That is, the challenge status code is 401, not 407. See elsewhere in this blog for HTTP authentication, and differences between Web server and proxy server authentication.

Dynamic Content and Reverse Proxying

Dynamic content poses a problem With reverse proxies. If the content is dynamically generated, it cannot be cached efficiently. Rather, each request must be forwarded to the origin server. This defeats the benefits of caching in the proxy server, and may in fact impede performance. A common misconception relates to the way CGI scripts are handled. CGI scripts are always executed by the origin server; they are never trans- ferred in their source code/program language form to the proxy server and executed there. Only the result of the CGI execution is passed to the proxy server, and, if marked cacheable, it may be cached by the proxy. As long as the number of dynamic pages is fairly small compared to the total number of requests, reverse proxying can be beneficial as in this case – http://bbciplayerabroad.co.uk/how-to-watch-bbc-iplayer-in-the-usa/. If there are many dynamic pages, they may be duplicated on multiple origin servers, and DNS round robin used to distribute the load among them. The static content may still be handled by reverse proxy servers.

Alternatives to Using Reverse Proxies:

There are a couple of alternatives to reverse proxies. One is the 3 05 Use Proxy status code in HTTP/ 1.1 that is intended for redirecting the client [or an intermediate (forward) proxy] that directly connects to the origin server to go through a proxy server. This releases the proxy in question from having to be a reverse proxy, since the client is now aware of the proxy’s existence in between. The 305 status code is intended as a mechanism for associating a one-site—only proxy server that will not be used for anything else. Note that if a (forward) proxy server is already used by the client, the client will not receive the 305 response. Instead, it is intercepted and handled by the last (forward) proxy in the proxy chain (that’s the proxy that attempted a direct connection to the origin server to begin with).

At the time of this writing, the support for the 305 status code is not widespread, either by client software or proxy servers. Once HTTP/1 becomes more widespread, the use of 305 proxy redirection may be viable option to reverse proxying. Another alternative to reverse proxying is to handle replication ~ ‘ server content by other means.

This can be accomplished by a plugin, the Web server, or by copying content between servers by other too such as FTP or secure rdist. At this time, copying content between servers using out-of-band mechanisms is the most common way of ting up large server pools. As reverse proxy server technology advance» may become an easier mechanism for setting up server pools. SUMMARY Reverse proxying provides an alternative to moving the server from ‘ internal network to the firewall. As the performance of proxy server \ ” ware increases, they may become a viable solution for synchronizing among multiple replicated servers in a large origin server pool.

Source: Guidance on Find a Fast UK Proxy

UK Proxy Buy – Some Tips

So what is a proxy, well the definition actually changes slightly depending on who you are talking to.  The origin of the term goes back to the beginning of the web in around 1990 when proxy servers were actually referred to as ‘gateways’.  These were simply devices which forwarded packets between different networks, sometimes even converting the different protocols that were being used.

However a simple up to date definition could be as follows:

A proxy server is a computer or system that acts as an intermediary between a client and a server.

They have all sorts of uses within corporate networks but in reality their real popularity has come outside that from ordinary computer users. You see the proxy sits between the computer you are using and the server you are contacting. It relays all information between the two sides and effectively protects the anonymity of the client computer.

This is the main benefit of using a proxy in this context, the proxy hides your location, your computer and identity from the web server you are using.

So Why all Secret Squirrel?  UK Proxy Buy or Not?

Most proxy users aren’t looking for total anonymity (although some are), but people have been using proxies for years in order to bypass the various blocks and filters that exist online. For example one of the most popular uses of a proxy server was in order to access British TV Online and blocked media sites  such as the BBC iPlayer or Hulu.

The BBC’s wonderful website and application is only accessible if you’re physically located in the United Kingdom – everyone else get’s blocked. However if you connect through a UK proxy first, then the BBC website only sees the location of the proxy and allows access.

It is how millions of people across the world could watch the BBC News or Match of the Day from outside the United Kingdom. As long as their proxy server was located in the UK, their actual location didn’t matter.  Exactly the same situation from US sites like Hulu, to access from outside the USA you needed to channel your connection through a proxy server based in the United States.

So does a UK Proxy Unlock Every UK TV site?

Unfortunately no, in fact the reality is that nowadays a proxy is pretty much useless as far as bypassing geographical blocks.  The reason is that the inbound connection from a proxy server is actually fairly easy to detect which is what most large scale media sites do.  If they detect a connection from a proxy server then access is blocked automatically.

Here’s a example of the message you get when trying to access Netflix through a proxy, it simply won’t let you use the site.

The reality is that there’s little point in buying a UK proxy or indeed one based anywhere in the world.  They can still obscure your identity a little, and they stop every website you visit being logged at your ISP but for watching UK TV you need something else.

That something else is a UK VPN service, which in many ways operates in a very similar way.  A VPN is a virtual private network connection between your computer and a VPN server.  Exactly like a proxy this server acts as an intermediary between you and the web resource you’re trying to access – relaying information both ways.  Yet there are important differences, firstly the entire connection is encrypted which means that no-one can access or intercept your data at any point.  The second is that a VPN connection is virtually impossible to detect, so none of the media sites are able to block or disconnect the connection.

Here we can see one such VPN service in action, it’s called Identity Cloaker.

As you can see it’s quite straight forward especially on a computer or laptop.  You merely click on the country you require and it establishes a connection to that specific VPN server. From that point any website you connect to will only the address of the VPN server not yours, which means that you can access whatever you like irrespective of your location.

Literally millions of people use these VPN services now to bypass blocks and filters of all descriptions.  Some use them to bypass state controlled filters such as in China and Turkey where the internet is heavily censored. While many others simply use them to access things like UK or US television, or to switch the version of Netflix they are using.

If you want to try the VPN service illustrated here, which is one of the few that still works with all the British TV sites it’s called Identity Cloaker.

You can try their 10 day trial here – Identity Cloaker

Primer on Protocol Verification

Depending on the environment and the purpose of a proxy then protocol verification is not always necessary. Indeed this was mostly ignored by earlier proxies and gateways as information was simply tunneled through transparently. Nowadays though there is normally some requirement to identify the protocol being transmitted through the proxy server.

Generic (circuit-level) tunneling, such as SOCKS and (SSL) tunneling, allows any protocol to be passed through the proxy server gateway. This implies that the proxy server does not necessarily understand the protocol and cannot verify what is happening at the protocol level. For example, the SSL tunneling protocol, despite its name, can tunnel /my TCP-based protocol, for example the telnet protocol.

A short-term solution to this is to allow only well-known ports to be tunneled, such as 445 for HTTPS, 563 for SNEWS, and 636 for secure LDAP. See Table 7-1 on page 135 for a list of well-known Web-related protocol ports. A longer-term solution is to be provided by proxy servers that verify the spoken protocol. More intelligence will need to be built into proxy servers to understand even protocols that are merely tunneled, not proxied. This enables proxies to notice misuse, such as exploiting the SSL tunneling to establish a telnet session.

Note that protocols that are proxied at the application level by the proxy server, such as HTTP, FTP, and Gopher, cannot be exploited as above because no direct “tunnel” is established through the proxy server. Instead, the proxy will fully re-perform the request on behalf of the client and then pass the response back.   This is important as it may be necessary for the function to be completed properly.  For example it’s common now to stream multimedia or video through  the servers and these need to function on the specific ports.  You won’t be able to stream things like the BBC TV output through this site without some sort of protocol verification taking place.

This ensures that the protocol is a legitimately allowed protocol. ‘ However, the Gopher protocol, or rather Gopher URLs, can be used to fool the proxy to make requests using other protocols by crafting special malicious URLs that convert to the language used by some other protocol.

Common Security Holes in Server Software can be read about on this blog and particularly there are Trojan horses disguised as Gopher URLs. If limiting to well-known ports is not acceptable (there are a number of servers out there running on non-standard ports), it is recommended to at least [9106/e ports that definitely should not be allowed an SSL tunnel to. Among these are ports known to be dedicated for other purposes, such as the telnet and SMTP ports (23, 25, respectively). Some proxy server software may in fact have a built-in filter for these ports and automatically disallow Gopher requests to them.

Loki – How ICMP Really Can be Dangerous

Overall ICMP has been viewed as quite a harmless and perhaps even trivial protocol. However that all changed with the rather nasty Loki.  In case you didn’t know Loki is from Norse mythology and he was the god of trickery and mischief.  The Loki exploit is well named and seeks to exploit the hither to benign ICMP protocol.  ICMP is intended mainly to inform users of error conditions and to make very simple requests.  It’s one of the reasons intrusion analysts and malware students tended to ignore the protocol.  Of course it could be used in rather obvious denial of service attacks but they were easily tracked and blocked.

However Loki changed that situation as it used ICMP as a tunneling protocol as a covert channel. The definition of a covert channel in these circumstances is a transport method used in either a secret or unexpected way. The transport vehicle is ICMP but Loki acts much more like a client/server application.  Any compromised host that gets a Loki server instance installed can respond to traffic and requests from a Loki client.   Which would also work if the client was spoofing their IP address to watch something like Netflix for instance – see this.  So for instance a Loki server could respond to a request to display the password file to screen or file. That could then be possibly captured and cracked by the owener of the Loki client application.

Many intrusion detection analysts would have simply ignored ICMP traffic passing through their logs.  Mainly because it’s such a common protocol but also an such an innocuous one.  Of course well read analysts will know treat such traffic with heightened suspicion, Loki really has changed the game for protocols like ICMP.

For those of us who spend many hours watching traffic Loki was a real eye opener.  You had to check those logs a little more carefully especially to watch out for those strange protocols being used in a different context.  There’s some more information on these attacks hidden on this technology blog – http://www.iplayerabroad.com/using-a-proxy-to-watch-the-bbc/.  It can take some finding though !!