2. Who we are
Jen Savage
◦ Software Developer
◦ @savagejen
Dan Crowley
◦ Managing Consultant at Trustwave
SpiderLabs
◦ @dan_crowley
3. What is a patsy proxy?
Patsy (noun): A person who is easily
taken advantage of
Proxy (noun): A person authorized to
act on the behalf of another
A patsy proxy is anything that can be
used to unwittingly perform an attack
on the behalf of another.
4. Advantages of a patsy proxy
Proxy owner is unaware of proxy
Target is unaware that victim acts as
proxy
◦ Not publicly listed as a proxy
◦ No traditional proxy service on victim
Logging unlikely
IP may be privileged
5. Disadvantages of a patsy
proxy
Attack capabilities may be limited
◦ May be blind
◦ May change the traffic
◦ May have a time delay
◦ May pass only certain types of traffic
What is inside the black box?
◦ May be logged
6. On patsy limitations
Patsy only allows GET params
◦ Many applications accept POST params
in GET
Patsy only makes HEAD requests
◦ Many applications process HEAD/GET
the same
No data will be returned
DoS capability severely limited
Patsy is blind
◦ Many attacks can be launched blind
9. Anonymize an attack
Attack will trace back to the patsy
◦ Is the patsy logging?
Traditional attacks
◦ SQLi
◦ RFI
◦ DoS
10. Bypass IP address filtering
Evade IP blacklist
◦ IP ban
◦ Sites which disallow proxies
Exploit IP trust relationships
◦ Business partnerships
◦ Proxies usually disallow internal access
Not the case with unintentional proxying
15. Automated Services
Malware Scanning Utilities
Mail Gateway Scanners
◦ Thanks to Jcran for his Project Tuna data:
tuna.pentestify.com/emails
Other
Good job Google on the Google Safe
Browsing Database!
22. Recursive DoS
Point the patsy back at itself
Traffic amplification factor:
◦ MAX_URI / patsy URI length * 2
Tack a large resource onto the last
iteration
20 requests resulted in 30 minutes
downtime
◦ Over the LAN!
23. RECURSIVE DOS
“If it’s stupid but it works, it isn’t stupid.”
patsy.php contained fopen($_GET['site'], 'r');
25. DDoS through patsies
I have 2MB up
I have 30 patsies, each 15MB up
I have Python
By your powers combined…
…I AM CAPTAIN DOWNTIME
26. Access to Internal Networks
Modern proxies enforce boundaries
between internal / external
Unintentional proxies may allow
boundary violation
◦ http://patsy.com/?site=http://10.0.0.1/admi
n.htm
27. Conclusion
Attribution is Hard(er)
◦ An IP address is not a person
IP address filtering is ineffective
Think before generating traffic for
users
User education is valuable for users,
too
◦ Don’t Take Candy from Internet Strangers