Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: chain... chain... chain... a chain of proxies

  1. #1
    Member
    Join Date
    May 2006
    Posts
    119

    Default chain... chain... chain... a chain of proxies

    What I don't understand about proxies is this:

    I know that if I originate a request via a number of protocols through a proxy, my originating IP is hidden from the equipment receiving the request at the final destination, but the packet must return, back to me, and that IP number must be encapsulated in the datagram or IP stack somewhere in there, no? Or does that last router/switch/proxy computer have that IP stored safely away from prying eyes?

    And what I really, really cannot understand is if a malicious user compromises a machine somewhere on the other side of the globe and drops a "phone home" type of executable in the machine and further instructs that executable to use proxies on it's voyage home, certainly the first packet coming out of that compromised machine must have the final destination embedded in it and if you are sniffing the wire over there... well, voila, you have the final destination IP.

    Now please, I'm learning, so tell it to me like it is! I have a need to know!

    Thank you.

  2. #2
    Junior Member
    Join Date
    Dec 2008
    Posts
    69

    Default

    That's not quite how TCP/IP works. I'd suggest you get hold of TCP/IP Illustrated or something similar but in the meantime...

    1 - Source opens TCP connection to Proxy and sends request to Proxy.
    2 - Proxy open TCP connection to Destination and sends request to Destination.
    3 - Destination sends reply to Proxy over the pre-existing connection to Proxy
    4 - Proxy sends reply from Distination to Source over pre-existing connection to Source.

    Naturally thats not quite how it works either but hopefully it will give you some idea of what actually happens.

    As for your phone home malware, that is the source in the above analogy so you can capture the destination address by sniffing the traffic.
    First Rule of Holes: When you're in one - Stop Digging!

  3. #3
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Scrub that, thinking of natting and not proxies.

    /me slaps self on head.
    wtf?

  4. #4
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    thanks for that reply. I do understand the routing, always did. My real concern is for a piece of malware sitting in timbuktu phoning home and from what I gather there is no way for it to hide it's IP destination address as the packets fly out the socket?

  5. #5
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Just don't get confused with proxies and routers.
    A router forwards packets, and the destination+source field in the IPv4 packet never change.
    A proxy will modify the source address to it's own. So if you are connecting through a chain of 2 proxies, the source address will change out of each exit interface of the "router" acting machines.
    Take note that the DESTINATION address will always remain.
    you --> proxy1 --> proxy2 --> google.dk
    Google knows of proxy2's IP. Proxy2 knows only of proxy1's IP. But Proxy1 knows your IP.
    Correct me if I'm wrong

    http://www.bol.ucla.edu/services/proxy/curious.html
    http://www.proxyblind.org/proxy_chaining.shtml
    - Poul Wittig

  6. #6
    Junior Member
    Join Date
    Dec 2008
    Posts
    69

    Default

    Quote Originally Posted by Deathray View Post
    A proxy will modify the source address to it's own. So if you are connecting through a chain of 2 proxies, the source address will change out of each exit interface of the "router" acting machines.
    you --> proxy1 --> proxy2 --> google.dk
    Google knows of proxy2's IP. Proxy2 knows only of proxy1's IP. But Proxy1 knows your IP.
    Correct me if I'm wrong

    Yes, that's pretty much it for a 'standard' http proxy with one caveat, it doesn't actually alter the source address. It simply forwards the request in such a way that it appears to be coming from the proxy.

    In technical terms the forwarding takes place at the application layer so only the payload, ie. the browser request, is being forwarded and not the actual TCP/IP packets.


    Quote Originally Posted by bulgin View Post
    thanks for that reply. I do understand the routing, always did. My real concern is for a piece of malware sitting in timbuktu phoning home and from what I gather there is no way for it to hide it's IP destination address as the packets fly out the socket?
    Hmm... Not doing anything naughty are you?

    Just remember these guys have access to a stockpile of Holy HandGrenades. Have a trawl through the Idiots Corner and you'll see what I mean.
    First Rule of Holes: When you're in one - Stop Digging!

  7. #7
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by Phoneywar View Post
    Yes, that's pretty much it for a 'standard' http proxy with one caveat, it doesn't actually alter the source address. It simply forwards the request in such a way that it appears to be coming from the proxy.

    In technical terms the forwarding takes place at the application layer so only the payload, ie. the browser request, is being forwarded and not the actual TCP/IP packets.
    What you are saying makes no sense - because the actual http data is inside the data field of the IP packet. You can't just send HTTP data back and forth without using the OSI model. A packet MUST have a source and destination ip address, unless the 2 hosts are connected on a switch where layer 3 will be skipped.
    Watch this video I uploaded a long time ago to see a demonstration of the OSI Model and you will understand better. The magic word is encapsulation.
    http://video.google.com/videosearch?...el&emb=0&aq=f# (first video)
    Haha just found this one too and found it quite weird :b
    http://video.google.com/videoplay?do...+encapsulation
    - Poul Wittig

  8. #8
    Junior Member
    Join Date
    Dec 2008
    Posts
    69

    Default

    Quote Originally Posted by Deathray View Post
    What you are saying makes no sense - because the actual http data is inside the data field of the IP packet. You can't just send HTTP data back and forth without using the OSI model. A packet MUST have a source and destination ip address, unless the 2 hosts are connected on a switch where layer 3 will be skipped.
    You are of course correct about encapsulation etc. but this all takes place within the application layer. When used without a proxy server, the browser does all the work of resolving the webserver ip address, opening a connection to it and sending the request etc. It knows the server ip address and is connected 'directly' to it via tcp/ip.

    When used with a proxy server, the browser resolves the proxy ip address, opens a connection and sends the request to the proxy. The proxy then does exactly what the browser would have done without the proxy. The browser neither knows nor cares about the webserver ip address as it is never connected 'directly' to it, only to the proxy.

    So you see, your earlier post about each stage in the chain only being able to see the ip address of the previous stage is correct as the tcp/ip connections from each stage only go as far as the proceeding and following stages. No further. It is only the data contained within the encapsulation, the http request, which is passed onto the next stage.

    By contrast a router doesn't look at or care what is inside an ip packet. It simply processes the packet based on the information within the ip header, which includes source and destination ip addresses of course

    I'm sorry if I confused you. Perhaps I didn't explain it as clearly as I thought I had.
    First Rule of Holes: When you're in one - Stop Digging!

  9. #9
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    Youza! I did look through the idiots corner. Wow! First time I looked over there! No I'm not attempting anything like what (apparently) some of the forum users are interested in. I just wanted to know what all the fuss about proxying is. It is good for hiding your IP apparently when you are initiating the connection, and from what I understand there are many proxies out there that are indeed sniffing people's traffic so what's so safe about that unless you now encrypt, which seems the way to go. Interesting. Very, very, interesting. In fact from what I've heard there are a lot of tor exit points sniffing traffic which would also have the ability to grab the final destination IP. So much of this seems minimally protective in a world of nefarious users. I guess for standard web browsing and the like it's fairly good, though. I guess if you control a proxy you could theoretically mask final IP's destination somehow.

  10. #10
    Junior Member
    Join Date
    Dec 2008
    Posts
    69

    Default

    Quote Originally Posted by bulgin View Post
    Youza! I did look through the idiots corner. Wow! First time I looked over there!
    Quite an eye-opener isn't it?


    Quote Originally Posted by bulgin View Post
    In fact from what I've heard there are a lot of tor exit points sniffing traffic which would also have the ability to grab the final destination IP. So much of this seems minimally protective in a world of nefarious users. I guess for standard web browsing and the like it's fairly good, though. I guess if you control a proxy you could theoretically mask final IP's destination somehow.
    I think the point you're missing is that proxies, tor or 'standard', are for masking the source ip address, not the destination.

    As for tor exits, or other proxies for that matter, it's not simply the destination ip they're after but the actual traffic itself.
    First Rule of Holes: When you're in one - Stop Digging!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •