[unisog] Ideas on Detecting Proxy Use?

H. Morrow Long morrow.long at yale.edu
Thu Apr 25 15:14:47 GMT 2002

The 'Forwarded: ' (for Netscape/IPlanet) and 'Via: ' client HTTP headers
appear to be the best ways to detect proxy use (though a proxy server
would not necessary have to use either if it wanted to be sneaky).

Netscape and IPlanet proxies add the 'Forwarded: ' header to the HTTP client
side request.

Other web proxies appear to use the 'Via: ' HTTP client side header. Examples:

Squid:			Via: 1.0 proxy:81 (Squid/2.3.STABLE3)
NetCache NetApp:	Via: 1.0 PROXYSERVER, 1.0 NetCache1 (NetCache NetApp/5.2R1D6)
			Via: 1.1 proxy1 (NetCache NetApp/5.1R2D10)
CiscoCache		Via: 1.1 ciscocache2
IBM			Via: HTTP/1.0 GATESRV.domain.tld (IBM-HTTP-Server)

Based on what I've seen the Via: syntax appears to be:
	Via: version hostname:port (Software name/rel/version/etc)

The version usually seems to be 1.0 or 1.1, but sometimes it is listed as
HTTP/1.0 or HTTP/1.1 -- as these can differ on separate requests from the
same proxy machine I assume the proxy service is forwarding
the HTTP protocol version (1.0 or 1.1) which the client used when it 
contacted the proxy and made the request.  

The hostname is not always an FQDN (and is often a short unqualified name
or even an RFC1918 private IP address). 

The software vendor and program names vary but are usually inside parens.

The 'Via: ' header also appears to be used for traffic coming back from web proxies to their
clients (it shows up in the server side headers as well).  Anyone know if 'reverse' proxies
also use the 'Via: ' header.

You will often also see many/most of the above proxies can (but don't have to)
use a X-Forwarded-For: HTTP client header (with the IP address or hostname of
the real web client requesting the page typically filled in or "unknown").

Because most (if not all) web proxies are also caching proxies you will also 
(but not always see) Cache-Control: and If-Modified-Since: headers used (though
regular web clients can use If-Modified-Since: as well).

Andrew Cormack wrote:
> Squid used to append its name to that of the browser in the user-agent HTTP
> header (it's a couple of years since I ran a squid though). To see that at a
> firewall you need to be able to look inside the packet, but it should be
> easily available to the server (or your inbound proxy). I'm not aware of any
> difference at the TCP or IP layers
> Andrew
> > -----Original Message-----
> > From: Von Elm, William J [mailto:billve at bnl.gov]
> > Sent: 25 April 2002 00:48
> > To: 'unisog at sans.org'
> > Subject: [unisog] Ideas on Detecting Proxy Use?
> >
> >
> > Hi All,
> >    Does anybody have any insight or references on how to
> > determine if the
> > traffic inbound to a webserver is coming from a proxy such as
> > AnalogX or
> > Squid?  Do these proxies use a predictable range of source
> > ports or are
> > there any other characteristics that can serve to 'fingerprint' them?
> > Thanks in advance for your thoughts.
> >
> > --
> > Bill Von Elm
> > Brookhaven Nat'l Laboratory
> > billve at bnl.gov
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3339 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020425/f2c0b318/smime-0007.bin

More information about the unisog mailing list