Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

IPAbuseCheck: Clients Abusing Web Proxies

image
THREATLABZ
October 19, 2011 - 2 min read

IPAbuseCheck was designed to provide a simple, free web interface to query your IP addresses against a database that we have built containing unauthenticated IP addresses that have attempted to forward abusive or unwanted traffic through one or more of our proxies. The database contains abusive IPs identified from July to present, and contains well over 20K unique IP addresses. Here is a screenshot showing an example report of an IP listed in our DB:

ImageIn this case, a client IP at a very large software company is infected and attempted to issue tens of thousands of login POST requests through our proxies to Megaupload servers (and others such as Rapidshare, Hotfiles, and Yahoo webmail) using the "Googlebot" user-agent. Note: URL parameter values have been stripped from the URLs in our database. This particular client IP is not listed in any IP denylists (checked using rbls.org). Very often, IP denylists list client IP addresses visible from the server perspective - in this case, it would have been our proxy IP if we let these transactions through. Our database provides a bit of a different perspective from many of these existing denylists, in that we are listing abusive clients that are using proxies.

The goal of this free service is to provide those interested (ISPs, companies/organizations, security professionals, etc.) with this data to identify and clean-up clients that are participating in this form of abuse. Clients leverage proxies to distribute and/or mask their origin when conducting forms of abuse, such as:

 

  • Brute-force web-based logins
  • Search Engine Optimization (SEO)
  • Forum spamming
  • Pay-per action cheating
  • Open proxy scanning
  • Bulk account registration
  • Site popularity / voting inflation
  • other forms of abuse (DDoS and web-site scraping)
Client IPs listed include both those that are intentionally used for abuse and those that are from infected hosts that are unknowingly abusing proxies on the Internet. Zscaler's service provides policy and security enforcement through its proxies from its customers - valid customers must first authenticate to the Zscaler service before being able to use our proxies. Transactions listed in this database are from unauthenticated clients attempting to utilize our proxies in an open manner to distribute and mask traffic for their abuse.

The idea for this service stemmed from two Zscaler blog posts:

 

We attempted to remove anything that we deemed to be a false-positive of abuse, but since this listing based on a few things like regular expressions and behavioral patterns it is still possible that the database contains false-positives. Use this information at your own discretion.
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

Future Forward: The Top 5 Takeaways for Partners from Zenith Live
Future Forward: The Top 5 Takeaways for Partners from Zenith Live
Read Post
Zenith Live 2023
Zero Trust Connectivity Extended, Plus a Massive Leap in Data Protection - Zenith Live ‘23 Highlights
Read Post
Jay Chaudhry, Zscaler CEO
Zenith Live ‘23 Kicks Off with Stunning Series of Innovation Announcements
Read Post
Announcing New Zscaler Platform Capabilities to Identify, Mitigate, and Manage Large-Scale Attacks
Announcing New Zscaler Platform Capabilities to Identify, Mitigate, and Manage Large-Scale Attacks
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.