Checklist anonymity check surfing
A few days ago on Habré slipped a note about the definition of VPN users. In the comments, I posted a link to our service with similar functionality, the writing of which I recently engaged in.
The main idea is to determine whether a user is hiding while surfing the net or not, and if possible, find out his real IP address. There are some interesting pieces that I have never seen anywhere (double-sided ping, matching DNS leak / ISP pairs).
I wanted to have on hand a sort of check-list, which would answer, "firing" you or not? At the moment, the list consists of 12 verification methods, which will be discussed below, including how to avoid them, but first about the simplest in order.
Some proxies add their headers to the request, which initiates the user's browser. Often this is the real IP address of the user.
')
Make sure that if the proxy server writes something to the headers listed below, then at least not your address:
HTTP_VIA, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED, APPROACH CORPOS, HTTP Infos
The IP address from which the request came to our page can say a lot. For example, can you see which ports are open on that side?
The most interesting ports are 3128, 1080, 8123. If they are not used, then it is quite possible to avoid unreasonable suspicions of using 3proxy, SOCKS 5 or Polipo.
As in the case of HTTP, a web proxy can be hung on any port, but we wanted the test to work very quickly, so we restricted ourselves to a reverse connection to ports 80 and 8080.
Is it a web page? Fine! At the moment, we can determine PHProxy, CGIProxy, Cohula and Glype.
Non-standard ports with authorization close the question.
Having an IP address, you can try to otrezolvit client hostname. Stop words that may hint at the tunnel: vpn, hide, hidden, proxy.
You should not bind domain names to a personal VPN, and if you do this, you should avoid “speaking” names.
Based on the GeoIP data, you can find out the country by the user's IP, and therefore its time zone. Then you can calculate the time difference between the browser and the time corresponding to the time zone of the VPN server.
There is a difference? So the user is probably hiding.
For Russia, there is no exact latitude and longtitude base for the regions, and since there are many time zones, we don’t take these addresses into account in the final result. With European countries, the opposite is true; they burn very well.
When switching to VPN, you need to remember to translate the system time, change the time in the browser, or work with Russian proxies.
If your IP address is a Tor node from the list check.torproject.org/cgi-bin/TorBulkExitList.py , congratulations, you were burned.
Nothing criminal, but the fact of disclosing what you are hiding is not very happy.
By collecting the IP address ranges of Google, Yandex and Opera, and comparing with the user address, you can assume the use of traffic compression services in the browsers of the respective companies.
As a rule, such services also merge your real address in the headers. As a means of anonymization, you should not rely on traffic compression.
By comparing window.location.hostname with the host of the requested page, you can determine whether the web proxy is used.
Web proxies, in principle, are not reliable, so it’s best to bypass such methods of anonymization altogether.
Adobe Flash works very well past user proxies. By initiating a connection to our server, you can find out the user's IP.
You can learn a lot by running a special daemon that logs all incoming connections with tag tags. The best way not to reveal your address is not to use Adobe Flash at all, or to disable it in the browser settings.
By running the ping to the client IP, from our server’s side, you can find out the approximate length of the route. The same can be done by the browser, XMLHTTPRequest pulls the blank page of our nginx. The resulting loop difference of more than 30 ms can be interpreted as a tunnel.
Of course, the routes back and forth may vary, or the web server will be a little bit more powerful, but overall, the accuracy is pretty good.
The only way to protect yourself is to prohibit ICMP traffic to your VPN server.
Finding out what DNS a user is using is not a problem, we wrote our DNS server, which records all calls to our uniquely generated subdomains.
The next step was collecting statistics for several million users, who uses which DNS. We made a binding to providers, rejected public DNS and got a list of DNS / ISP pairs.
Now it’s not at all difficult to find out if a user presents himself as a subscriber of one network, and uses DNS entirely from another.
Partially the problem is solved by the use of public DNS services, if this can be called a solution.
This is not an IP address leak, but we still believe that by giving the names of authorized users to everyone to the left and right, VK merges private data that undermines the entire anonymity of surfing.
More information can be found here vk.com/dev/openapi . The "Exit" button after each session generally resolves the issue, but the best recommendation is not to enter :)
Thanks for attention!
The main idea is to determine whether a user is hiding while surfing the net or not, and if possible, find out his real IP address. There are some interesting pieces that I have never seen anywhere (double-sided ping, matching DNS leak / ISP pairs).
I wanted to have on hand a sort of check-list, which would answer, "firing" you or not? At the moment, the list consists of 12 verification methods, which will be discussed below, including how to avoid them, but first about the simplest in order.
HTTP proxy headers
Some proxies add their headers to the request, which initiates the user's browser. Often this is the real IP address of the user.
')
Make sure that if the proxy server writes something to the headers listed below, then at least not your address:
HTTP_VIA, HTTP_X_FORWARDED_FOR, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED, APPROACH CORPOS, HTTP Infos
Open HTTP proxy ports
The IP address from which the request came to our page can say a lot. For example, can you see which ports are open on that side?
The most interesting ports are 3128, 1080, 8123. If they are not used, then it is quite possible to avoid unreasonable suspicions of using 3proxy, SOCKS 5 or Polipo.
Open ports web proxy
As in the case of HTTP, a web proxy can be hung on any port, but we wanted the test to work very quickly, so we restricted ourselves to a reverse connection to ports 80 and 8080.
Is it a web page? Fine! At the moment, we can determine PHProxy, CGIProxy, Cohula and Glype.
Non-standard ports with authorization close the question.
Suspicious hostname
Having an IP address, you can try to otrezolvit client hostname. Stop words that may hint at the tunnel: vpn, hide, hidden, proxy.
You should not bind domain names to a personal VPN, and if you do this, you should avoid “speaking” names.
Difference in time zones (browser and IP)
Based on the GeoIP data, you can find out the country by the user's IP, and therefore its time zone. Then you can calculate the time difference between the browser and the time corresponding to the time zone of the VPN server.
There is a difference? So the user is probably hiding.
For Russia, there is no exact latitude and longtitude base for the regions, and since there are many time zones, we don’t take these addresses into account in the final result. With European countries, the opposite is true; they burn very well.
When switching to VPN, you need to remember to translate the system time, change the time in the browser, or work with Russian proxies.
IP belonging to the Tor network
If your IP address is a Tor node from the list check.torproject.org/cgi-bin/TorBulkExitList.py , congratulations, you were burned.
Nothing criminal, but the fact of disclosing what you are hiding is not very happy.
Turbo Browser Mode
By collecting the IP address ranges of Google, Yandex and Opera, and comparing with the user address, you can assume the use of traffic compression services in the browsers of the respective companies.
As a rule, such services also merge your real address in the headers. As a means of anonymization, you should not rely on traffic compression.
Definition of web proxy (JS method)
By comparing window.location.hostname with the host of the requested page, you can determine whether the web proxy is used.
Web proxies, in principle, are not reliable, so it’s best to bypass such methods of anonymization altogether.
IP leakage via flash
Adobe Flash works very well past user proxies. By initiating a connection to our server, you can find out the user's IP.
You can learn a lot by running a special daemon that logs all incoming connections with tag tags. The best way not to reveal your address is not to use Adobe Flash at all, or to disable it in the browser settings.
Tunnel definition (two-way ping)
By running the ping to the client IP, from our server’s side, you can find out the approximate length of the route. The same can be done by the browser, XMLHTTPRequest pulls the blank page of our nginx. The resulting loop difference of more than 30 ms can be interpreted as a tunnel.
Of course, the routes back and forth may vary, or the web server will be a little bit more powerful, but overall, the accuracy is pretty good.
The only way to protect yourself is to prohibit ICMP traffic to your VPN server.
DNS leak
Finding out what DNS a user is using is not a problem, we wrote our DNS server, which records all calls to our uniquely generated subdomains.
The next step was collecting statistics for several million users, who uses which DNS. We made a binding to providers, rejected public DNS and got a list of DNS / ISP pairs.
Now it’s not at all difficult to find out if a user presents himself as a subscriber of one network, and uses DNS entirely from another.
Partially the problem is solved by the use of public DNS services, if this can be called a solution.
Leak through VKontakte
This is not an IP address leak, but we still believe that by giving the names of authorized users to everyone to the left and right, VK merges private data that undermines the entire anonymity of surfing.
More information can be found here vk.com/dev/openapi . The "Exit" button after each session generally resolves the issue, but the best recommendation is not to enter :)
Thanks for attention!
Source: https://habr.com/ru/post/263557/
All Articles