Web Open Proxy on Amazon Web Services

Goal: Recurring test for Open Proxy on AWS

In IaaS environment, security is a shared responsibility model and AWS explains this very clearly.

AWS users must take care of their instances and AMIs especially when sharing them as explained in AWS Hardening and requirement before publishing an AMI.

7. Ensure that the system does not violate the Amazon Web Services Acceptable Use Policy. Examples include open SMTP relays or proxy servers.

Read more on Amazon Web Services™ Acceptable Use Policy./p>

Moreover, security issues have been found on open proxy servers that lead to exploits such as credentials retrieval. You can read more on Nimbostratus – Tools for fingerprinting and exploiting Amazon cloud infrastructures

We, at SecludIT, have added an OpenProxy Check in Elastic Detector (Elastic Vulnerability Assessment for Cloud Infrastructures) for AWS Cloud infrastructure that runs periodically.

In order to find the frequency, we decided to setup a test environment in order to find out this parameter.

Test: Setup an open proxy on AWS and wait for hackers

In order to setup the test environment we decided to use an AWS Linux instance with an Apache server misconfigured (incorrect proxy configuration) and monitor suspicious activity.

We started an AWS t1.micro Linux in US-East-1, installed an Apache server with a proxy mode (misconfigured).

Security note:

  • The default Apache configuration was OK.
  • We did not publish the IP in our DNS or take an EIP.
  • The malicious outgoing traffic has been blocked.

Some commands for extracting information from the Apache logs:

  • Find the open proxy attempt
    grep -E '\:[0-9]+ HTTP' /var/log/httpd/access_log | wc -l
  • Find all the different IPs that connected
    cat /var/log/httpd/access_log | awk -F' ' '{print $1}' | sort -u > ips.txt
  • Find countries from the IPs list
    for ip in $(cat ips_in.txt) ; do  whois $ip | grep -i country | grep -o -E '[a-zA-Z]+$' > ip_countries.txt; done

Results: Unsolicited Access from AWS in less than 40 minutes

The Web server ran for around 2 days (server was stopped during the first night french time) and was accessed by 1686 different IPs coming from 39 countries. Here are some stats on it.

Country CN US DE HK FR NL GB JP PH RU
Count 968 139 30 22 15 14 13 12 12 10

OpenProxy_Hackers_World

We noticed that the first access was made by Amazon Web Services in less than 40 minutes after we started the Web Server. Then traffic some unsolicited traffic came from China (less than 120 minutes), University of Wisconsin, Verizon Network and OVH (just to give some example of incoming traffic).

We also noticed that the hackers were interested in using the proxy server in order to find  STMP relays. More than 3200 tried to connect to a SMTP server (around 2/3), 1308 tried to connect to a HTTPS (around 1/3) server and less than 100 tried to connect to a HTTP server.

Server Type SMTP HTTPS HTTP
Try 3222 (69%) 1308 (28%) 91 (1%)

Some logs of the test:

The Web server has been started on Oct 07, then stopped during the night (french time) and restarted on Oct 08.  As you can see unsolicited traffic comes from Amazon Web Services, China, Computer Sciences Department University of Wisconsin – Madison, SingleHop – US, EDIS GmbH – Austria, Verizon FiOS – US, OVH Systems – France, …

Day 1: First unsolicited traffic (< 40 minutes later) from AWS US-West-2

54.200.33.221 - - [07/Oct/2013:16:12:31 +0000] "GET http://www.cvs.com HTTP/1.0" 200 100751 "-" "-"
54.200.33.221 - - [07/Oct/2013:16:12:32 +0000] "HEAD http://www.cvs.com HTTP/1.0" 200 - "-" "-"
54.200.33.221 - - [07/Oct/2013:16:12:32 +0000] "CONNECT www.cvs.com:80 HTTP/1.0" 403 296 "-" "-"

Day 2 (service stopped during the night): First unsolicited traffic (> 60 minutes later) from China

124.160.227.23 - - [08/Oct/2013:10:39:26 +0000] "GET /phppath/php */*" 404 304 "-" "-"

Conclusion of the test

This very short study responds to our main question. Moreover we have shown a bit more on the behavior of hackers and what is their goal.

Open Proxy Check

After the test, we have decided to set the default frequency to 30 minutes for our Open Proxy Check which seems a reasonable value as the first access occurred less than 40 minutes after starting the service which was not published over internet.
ElasticDetector_OpenProxy

Detection in Elastic Detector Event Log

We have also seen that this has a high impact on performance of the Web server and that such unsolicited traffic on the web server could be detected using our Availability Check as well.

First sign : Web Server under Attack or Heavy Load
ElasticDetector_HTTP_Check

Final sign : Web Server does not respond in acceptable delay
ElasticDetector_HTTP_Check_2

One thing we forgot to say is that “of course we got SSH brute force attempts from China” 🙂

/Fred

2 thoughts on “Web Open Proxy on Amazon Web Services

  1. Thank you for publishing this awesome article. I search since a long time an answer to this subject and I have
    finally found it on your site. I registered your blog in my rss feed and shared it on my Twitter.
    I will come back for sure to check your future posts!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s