July 26, 2015 at 14:51Surfing Anonymization Checklist
A few days ago, a note about defining VPN users slipped on the hub In the comments, I posted a link to our service with similar functionality, which I recently wrote.
The main idea is to determine whether the user is hiding while surfing the network or not, and if possible find out his real IP address. There are some interesting features that, in principle, I have not seen anywhere (two-way ping, matching DNS leak / ISP pairs).
I would like to have a sort of checklist on hand that would answer, “are you scorching” or not? At the moment, the list consists of 12 verification methods, which will be discussed below, including how not to fall for them, but first about the simplest one in order.
Some proxies append their headers to the request, which initiates the user's browser. Often this is the user's real IP address.
Make sure that the proxy server even writes something in the headers listed below, then at least not your address:
HTTP_VIA, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWEDED, HTTP_CLIENT_IP, HTTP_FORWARD_ORARD_ORARD_ORARD_ORARD_ORARD_ORARD_ORARD_for_ard_for_ard_ard_ard_idard_queid_quedent_47, the church, , HTTP_PROXY_CONNECTION
The IP address from which the request came to our page can say a lot. You can, for example, see which ports are open on that side?
The most interesting ports are 3128, 1080, 8123. If you do not use them, then it is completely possible to avoid unreasonable suspicions of using 3proxy, SOCKS 5 or Polipo.
As in the case of HTTP, the web proxy can be hung on any port, but we wanted the test to work very quickly, so we limited ourselves to the reverse connection to ports 80 and 8080. Was the
web page suggested? Excellent! At the moment, we are able to define PHProxy, CGIProxy, Cohula and Glype.
Non-standard ports with authorization close the question.
Having an IP address, you can try to sober up the client’s hostname. Stop words that may hint at the tunnel: vpn, hide, hidden, proxy.
Do not bind domain names to a personal VPN, and if you do this, you should avoid "talking" names.
Based on the GeoIP data, you can find out the country by user IP, and therefore its time zone. Then you can calculate the time difference between the browser and the time corresponding to the time zone of the VPN server.
There is a difference? So the user is probably hiding.
For Russia, there is no exact base for latitude and longtitude for regions, and since there are a lot of time zones, we do not take into account these addresses in the final result. With European countries, the opposite is true, they scorch very well.
When switching to a VPN, you must remember to translate the system time, change the time in the browser, or work with Russian proxies.
If your IP address is a Tor node from the check.torproject.org/cgi-bin/TorBulkExitList.py list , congratulations, you are asleep.
Nothing criminal, but the fact of revealing that you are hiding is not very pleasing.
Having collected the ranges of IP addresses of Google, Yandex and Opera, and comparing it with a user address, we can assume the use of traffic compression services in the browsers of the respective companies.
As a rule, such services also merge your real address in the headers. As a means of anonymization, you should not count on traffic compression.
By comparing window.location.hostname with the host of the requested page, you can determine if a web proxy is being used.
Web proxies are not reliable in principle, therefore it is better to bypass such anonymization methods at all.
Adobe Flash works very well past custom proxies. By initiating a connection to our server, you can find out the user's IP.
By launching a special daemon that logs all incoming connections with tag keys, you can learn a lot. The best way to not disclose your address is to not use Adobe Flash at all, or disable it in your browser settings.
By launching ping to the client IP, from the side of our server, you can find out the approximate length of the route. The same can be done from the side of the browser, XMLHTTPRequest pulls a blank page of our nginx. The resulting loop difference of more than 30 ms can be interpreted as a tunnel.
Of course, the round-trip routes may vary, or the web server will add a bit, but overall the accuracy is pretty good.
The only way to protect yourself is to deny ICMP traffic to your VPN server.
To find out which DNS the user is using is not a problem, we wrote our own DNS server, which records all calls to our uniquely generated subdomains.
The next step was to collect statistics on several million users who uses which DNS. We made a binding to the providers, dropped the public DNS and got a list of DNS / ISP pairs.
Now it’s not at all difficult to find out if the user introduced himself as a subscriber of one network, but uses DNS from another.
The problem is partially solved by the use of public DNS services, if this can be called a solution.
This is not an IP address leak, but still we believe that by giving everyone the names of authorized users left and right, VK merges private data, which undermines all the anonymity of surfing.
For more details, see the documentation here vk.com/dev/openapi . The “Exit” button after each session generally solves the issue, but the best recommendation is not to enter :)
Thank you for your attention!
The main idea is to determine whether the user is hiding while surfing the network or not, and if possible find out his real IP address. There are some interesting features that, in principle, I have not seen anywhere (two-way ping, matching DNS leak / ISP pairs).
I would like to have a sort of checklist on hand that would answer, “are you scorching” or not? At the moment, the list consists of 12 verification methods, which will be discussed below, including how not to fall for them, but first about the simplest one in order.
HTTP proxy headers
Some proxies append their headers to the request, which initiates the user's browser. Often this is the user's real IP address.
Make sure that the proxy server even writes something in the headers listed below, then at least not your address:
HTTP_VIA, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWEDED, HTTP_CLIENT_IP, HTTP_FORWARD_ORARD_ORARD_ORARD_ORARD_ORARD_ORARD_ORARD_for_ard_for_ard_ard_ard_idard_queid_quedent_47, the church, , HTTP_PROXY_CONNECTION
Open HTTP proxy ports
The IP address from which the request came to our page can say a lot. You can, for example, see which ports are open on that side?
The most interesting ports are 3128, 1080, 8123. If you do not use them, then it is completely possible to avoid unreasonable suspicions of using 3proxy, SOCKS 5 or Polipo.
Open web proxy ports
As in the case of HTTP, the web proxy can be hung on any port, but we wanted the test to work very quickly, so we limited ourselves to the reverse connection to ports 80 and 8080. Was the
web page suggested? Excellent! At the moment, we are able to define PHProxy, CGIProxy, Cohula and Glype.
Non-standard ports with authorization close the question.
Suspicious host name
Having an IP address, you can try to sober up the client’s hostname. Stop words that may hint at the tunnel: vpn, hide, hidden, proxy.
Do not bind domain names to a personal VPN, and if you do this, you should avoid "talking" names.
The difference in time zones (browser and IP)
Based on the GeoIP data, you can find out the country by user IP, and therefore its time zone. Then you can calculate the time difference between the browser and the time corresponding to the time zone of the VPN server.
There is a difference? So the user is probably hiding.
For Russia, there is no exact base for latitude and longtitude for regions, and since there are a lot of time zones, we do not take into account these addresses in the final result. With European countries, the opposite is true, they scorch very well.
When switching to a VPN, you must remember to translate the system time, change the time in the browser, or work with Russian proxies.
IP Network Tor
If your IP address is a Tor node from the check.torproject.org/cgi-bin/TorBulkExitList.py list , congratulations, you are asleep.
Nothing criminal, but the fact of revealing that you are hiding is not very pleasing.
Turbo Browser Mode
Having collected the ranges of IP addresses of Google, Yandex and Opera, and comparing it with a user address, we can assume the use of traffic compression services in the browsers of the respective companies.
As a rule, such services also merge your real address in the headers. As a means of anonymization, you should not count on traffic compression.
Web proxy definition (JS method)
By comparing window.location.hostname with the host of the requested page, you can determine if a web proxy is being used.
Web proxies are not reliable in principle, therefore it is better to bypass such anonymization methods at all.
IP leak through Flash
Adobe Flash works very well past custom proxies. By initiating a connection to our server, you can find out the user's IP.
By launching a special daemon that logs all incoming connections with tag keys, you can learn a lot. The best way to not disclose your address is to not use Adobe Flash at all, or disable it in your browser settings.
Tunnel Definition (Two-way Ping)
By launching ping to the client IP, from the side of our server, you can find out the approximate length of the route. The same can be done from the side of the browser, XMLHTTPRequest pulls a blank page of our nginx. The resulting loop difference of more than 30 ms can be interpreted as a tunnel.
Of course, the round-trip routes may vary, or the web server will add a bit, but overall the accuracy is pretty good.
The only way to protect yourself is to deny ICMP traffic to your VPN server.
DNS leak
To find out which DNS the user is using is not a problem, we wrote our own DNS server, which records all calls to our uniquely generated subdomains.
The next step was to collect statistics on several million users who uses which DNS. We made a binding to the providers, dropped the public DNS and got a list of DNS / ISP pairs.
Now it’s not at all difficult to find out if the user introduced himself as a subscriber of one network, but uses DNS from another.
The problem is partially solved by the use of public DNS services, if this can be called a solution.
Leak through VKontakte
This is not an IP address leak, but still we believe that by giving everyone the names of authorized users left and right, VK merges private data, which undermines all the anonymity of surfing.
For more details, see the documentation here vk.com/dev/openapi . The “Exit” button after each session generally solves the issue, but the best recommendation is not to enter :)
Thank you for your attention!