By: ThreatLabz

IPAbuseCheck: Clients Abusing Web Proxies

Analysis

IPAbuseCheck was designed to provide a simple, free web interface to query your IP addresses against a database that we have built containing unauthenticated IP addresses that have attempted to forward abusive or unwanted traffic through one or more of our proxies. The database contains abusive IPs identified from July to present, and contains well over 20K unique IP addresses. Here is a screenshot showing an example report of an IP listed in our DB:

In this case, a client IP at a very large software company is infected and attempted to issue tens of thousands of login POST requests through our proxies to Megaupload servers (and others such as Rapidshare, Hotfiles, and Yahoo webmail) using the "Googlebot" user-agent. Note: URL parameter values have been stripped from the URLs in our database. This particular client IP is not listed in any IP blacklists (checked using rbls.org). Very often IP blacklists list client IP addresses visible from the server perspective - in this case, it would have been our proxy IP if we let these transactions through. Our database provides a bit of a different perspective from many of these existing blacklists, in that we are listing abusive clients that are using proxies.

The goal of this free service is to provide those interested (ISPs, companies/organizations, security professionals, etc.) with this data to identify and clean-up clients that are participating in this form of abuse. Clients leverage proxies to distribute and/or mask their origin when conducting forms of abuse, such as:
  • Brute-force web-based logins
  • Search Engine Optimization (SEO)
  • Forum spamming
  • Pay-per action cheating
  • Open proxy scanning
  • Bulk account registration
  • Site popularity / voting inflation
  • other forms of abuse (DDoS and web-site scraping)
Client IPs listed include both those that are intentionally used for abuse and those that are from infected hosts that are unknowingly abusing proxies on the Internet. Zscaler's service provides policy and security enforcement through its proxies from its customers - valid customers must first authenticate to the Zscaler service before being able to use our proxies. Transactions listed in this database are from unauthenticated clients attempting to utilize our proxies in an open manner to distribute and mask traffic for their abuse.

The idea for this service stemmed from two Zscaler blog posts:
We attempted to remove anything that we deemed to be a false-positive of abuse, but since this listing based on a few things like regular expressions and behavioral patterns it is still possible that the database contains false-positives. Use this information at your own discretion.

Learn more about Zscaler.