Tracing HTTP Activity Through Non-cooperating HTTP Proxies (Short Paper)
Tracing nefarious HTTP activity to its source is sometimes extremely difficult when HTTP (and/or SOCKS) proxies are used for origin obfuscation. This paper describes a technique for tracing HTTP traffic through one or more non-cooperating HTTP (and/or SOCKS) proxies. The technique uses only passive observations of TCP/IP headers. Furthermore, the technique need only observe a single direction of the underlying TCP flows, i.e. the technique is asymmetric-route-robust. The technique represents a set of HTTP transactions as an activity profile. These profiles may be either distilled from passive network observations, or logged by a cooperating web server. Using statistical correlation techniques, we can trace both end-to-end SSL-encrypted HTTP, and unencrypted HTTP despite the source obfuscation methods employed by many contemporary proxies. The technique may be used to narrow the search space before applying other more resource intensive traceback techniques.
KeywordsListening Post Common Object Request Broker Architecture Lightweight Directory Access Protocol Accent Mark DARPA Information Survivability
Unable to display preview. Download preview PDF.
- 1.Cheng, H., Avnur, R.: Traffic Analysis of SSL Encrypted Web Browsing (1998)Google Scholar
- 2.Danezis, D.: Traffic Analysis of the HTTP Protocol over TLS (unpublished paper)Google Scholar
- 3.Hintz, A.: Fingerprinting websites using traffic analysis. In: Workshop on Privacy Enhancing Technologies, San Francisco, CA (April 2002)Google Scholar
- 4.Kindred, D., Reid, T., Wilson, B.: Phase I Final Technical Report: Tracing Attacks through Non-Cooperating Networks. SPARTA Technical Report (April 2005)Google Scholar
- 5.Schnackenberg, D., Holliday, H., Smith, R., Djahandari, K., Sterne, D.: Cooperative Intrusion Traceback and Response Architecture (CITRA). In: DARPA Information Survivability Conference & Exposition II, 2001. DISCEX 2001. Proceedings, vol. 1, pp. 56–68 (2001)Google Scholar
- 6.Sun, Q., Simon, D.R., Wang, Y., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, USA (May 2002)Google Scholar