Abstract
Tracing nefarious HTTP activity to its source is sometimes extremely difficult when HTTP (and/or SOCKS) proxies are used for origin obfuscation. This paper describes a technique for tracing HTTP traffic through one or more non-cooperating HTTP (and/or SOCKS) proxies. The technique uses only passive observations of TCP/IP headers. Furthermore, the technique need only observe a single direction of the underlying TCP flows, i.e. the technique is asymmetric-route-robust. The technique represents a set of HTTP transactions as an activity profile. These profiles may be either distilled from passive network observations, or logged by a cooperating web server. Using statistical correlation techniques, we can trace both end-to-end SSL-encrypted HTTP, and unencrypted HTTP despite the source obfuscation methods employed by many contemporary proxies. The technique may be used to narrow the search space before applying other more resource intensive traceback techniques.
Approved for Public Release; distribution unlimited.
Chapter PDF
References
Cheng, H., Avnur, R.: Traffic Analysis of SSL Encrypted Web Browsing (1998)
Danezis, D.: Traffic Analysis of the HTTP Protocol over TLS (unpublished paper)
Hintz, A.: Fingerprinting websites using traffic analysis. In: Workshop on Privacy Enhancing Technologies, San Francisco, CA (April 2002)
Kindred, D., Reid, T., Wilson, B.: Phase I Final Technical Report: Tracing Attacks through Non-Cooperating Networks. SPARTA Technical Report (April 2005)
Schnackenberg, D., Holliday, H., Smith, R., Djahandari, K., Sterne, D.: Cooperative Intrusion Traceback and Response Architecture (CITRA). In: DARPA Information Survivability Conference & Exposition II, 2001. DISCEX 2001. Proceedings, vol. 1, pp. 56–68 (2001)
Sun, Q., Simon, D.R., Wang, Y., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA, USA (May 2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Edell, R.J., Kruus, P., Meth, U. (2006). Tracing HTTP Activity Through Non-cooperating HTTP Proxies (Short Paper). In: Ning, P., Qing, S., Li, N. (eds) Information and Communications Security. ICICS 2006. Lecture Notes in Computer Science, vol 4307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11935308_35
Download citation
DOI: https://doi.org/10.1007/11935308_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49496-6
Online ISBN: 978-3-540-49497-3
eBook Packages: Computer ScienceComputer Science (R0)