PROXIE LIST FOR TRAFFIC BOTS MAC OS X
While there is nothing terribly unusual about a Chrome 70 browser ( October 2018) running on Mac OS X 10.13.6 ( July 2018), the proxy_ip: portion is not frequently seen, especially at the high volume we observed for this particular customer.Īfter investigating a few of the entities making these requests, we determined the “proxy-ip:” User-Agent was only being sent when they requested static resources like. We track the prevalence of User-Agents observed across our platform and flag unusual characteristics in these for further analysis. Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko)
These requests were coming from multiple IPs and had a very similar user agent string: GET /path/to/resource.css HTTP/1.1 User-Agent: proxy_ip:X.X.X.X:60000 Mozilla/5.0 (Macintosh ThreatX Labs first noticed the bot activity when a customer received a high volume of requests with “proxy_ip:X.X.X.X:60000” in the “User-Agent” header. In this blog we describe how we detected this bot activity and network of private proxy servers, the network’s composition, and our approach for protecting our customers from its malicious behavior. This custom network of proxies gave the offenders the advantage of relatively clean, un-blacklisted IP space from which to launch their attacks. These techniques enable an attacker to use far fewer bots to have the same amount of impact as a larger network.ĭuring our investigation we found attackers using an unusual approach to amplify their impact and evade detection – a custom network of private proxy servers distributed across multiple networks and Virtual Private Server (VPS) providers.
So some clever attackers use a combination of TOR exit nodes, open proxies, and VPN services to mask their true IP addresses. However, it is not easy to manage over 10,000 hacked devices, yet alone acquire that many shell accounts. It is not unusual for us to see a credential stuffing or comment spam botnet using as many as 10,000 different IPs consisting of hacked servers, workstations, and increasingly more – IoT devices. A more advanced attacker evades detection by rotating their IP addresses every few tries, staying below the radar of application authentication processes and security teams.
0 kommentar(er)
