Tracing HTTP Activity Through Non-cooperating HTTP Proxies (Short Paper)

  • Richard J. Edell
  • Peter Kruus
  • Uri Meth
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


Tracing nefarious HTTP activity to its source is sometimes extremely difficult when HTTP (and/or SOCKS) proxies are used for origin obfuscation. This paper describes a technique for tracing HTTP traffic through one or more non-cooperating HTTP (and/or SOCKS) proxies. The technique uses only passive observations of TCP/IP headers. Furthermore, the technique need only observe a single direction of the underlying TCP flows, i.e. the technique is asymmetric-route-robust. The technique represents a set of HTTP transactions as an activity profile. These profiles may be either distilled from passive network observations, or logged by a cooperating web server. Using statistical correlation techniques, we can trace both end-to-end SSL-encrypted HTTP, and unencrypted HTTP despite the source obfuscation methods employed by many contemporary proxies. The technique may be used to narrow the search space before applying other more resource intensive traceback techniques.


Listening Post Common Object Request Broker Architecture Lightweight Directory Access Protocol Accent Mark DARPA Information Survivability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cheng, H., Avnur, R.: Traffic Analysis of SSL Encrypted Web Browsing (1998)Google Scholar
  2. 2.
    Danezis, D.: Traffic Analysis of the HTTP Protocol over TLS (unpublished paper)Google Scholar
  3. 3.
    Hintz, A.: Fingerprinting websites using traffic analysis. In: Workshop on Privacy Enhancing Technologies, San Francisco, CA (April 2002)Google Scholar
  4. 4.
    Kindred, D., Reid, T., Wilson, B.: Phase I Final Technical Report: Tracing Attacks through Non-Cooperating Networks. SPARTA Technical Report (April 2005)Google Scholar
  5. 5.
    Schnackenberg, D., Holliday, H., Smith, R., Djahandari, K., Sterne, D.: Cooperative Intrusion Traceback and Response Architecture (CITRA). In: DARPA Information Survivability Conference & Exposition II, 2001. DISCEX 2001. Proceedings, vol. 1, pp. 56–68 (2001)Google Scholar
  6. 6.
    Sun, Q., Simon, D.R., Wang, Y., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, USA (May 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Richard J. Edell
    • 1
  • Peter Kruus
    • 1
  • Uri Meth
    • 1
  1. 1.SPARTA, Inc.ColumbiaUSA

Personalised recommendations