Anonymous Proxies: The Double-Edged Sword of Online Privacy

Introduction

In today’s digital age, where an individual’s every online action can leave a lasting footprint, the importance of online privacy and security cannot be overstated. Various tools and technologies have been developed to protect users’ privacy, among which anonymous proxies stand out as both enigmatic and essential. This blog aims to demystify the complex world of anonymous proxies, offering an in-depth understanding of their functionalities, types, and use-cases. By shedding light on how these proxies operate to mask your identity and shield your data, we will arm you with the knowledge you need to navigate the digital world more safely and confidently. Whether you are an individual looking to protect personal information or a business aiming to secure digital assets, this blog will serve as your comprehensive guide to understanding and leveraging anonymous proxies for enhanced online security.

What is an Anonymous Proxy?

Anonymous proxies serve as intermediaries between users and the internet. By masking the user’s IP address and filtering incoming data, these proxies make online activities less traceable. This layer of anonymity provides a shield against unauthorized access, enabling users to navigate the web incognito.

The Advantages of Staying Anonymous

The ability to stay anonymous online offers individuals a shield of privacy, safeguarding personal information from prying eyes and potential threats. This newfound sense of security extends to activities like secure web browsing, ensuring confidential transactions, and protecting sensitive data. Anonymity can empower users to freely access geo-restricted content, fostering a more open and unrestricted online experience.

Anonymous Proxy during attack time

In most of our customers’ peace time traffic, we observe that only about 2% of all network traffic is sourced from anonymous proxies. However, during suspected attack scenarios, the anonymous proxies rate dramatically increases to between 50% and 75% of the total incoming traffic. This is a significant indicator that an attack might be underway, although it is crucial to note that this parameter alone is not sufficient to definitively conclude an attack is happening.

To increase the reliability of attack detection, we recommend combining anonymous proxy rate with other parameters like geolocation. For instance, if a surge in anonymous proxy traffic is paired with unusual geolocation patterns, this combination could bolster the validity of attack detection.

That said, it is essential to consider the nature of the website being protected. Some websites, such as gambling, streaming websites, or adult-content platforms, naturally attract a larger portion of legitimate traffic from anonymous proxies. In such cases, a high rate of anonymous proxy traffic may not be a reliable indicator of an attack. Therefore, a nuanced approach that considers multiple factors is necessary for effective security monitoring and incident response.

By incorporating these multi-faceted analytics into our security solutions, Radware provides a robust and comprehensive approach to identifying and mitigating potential security incidents.

Advanced Threat Tactics: Case of Anonymous Sudan [*1]

Anonymous Sudan utilizes a sophisticated strategy involving cloud-rented virtual private servers to establish a centrally orchestrated bot infrastructure. In the attacks against Denmark, for example, the group employed 61 high-capacity cloud servers hosted in IBM Cloud. These servers were capable of generating HTTPS request floods at staggering rates, ranging from 800,000 to 2 million Requests Per Second (RPS). To obfuscate its infrastructure and complicate detection efforts, Anonymous Sudan employs a rotating set of proxy and SOCKS servers [*2], which makes it appear as if the attacks are originating from multiple locations. There are also services that provide an enormous number of anonymous proxies, with 10 to 20% of their IP addresses changing daily, making high-scale encrypted HTTPS attacks appear to originate from hundreds of thousands of different IPs. The duration of these attacks varies, lasting from a few minutes to several hours.

It is worth noting that there have been even larger-scale attacks recorded by other organizations such as Google, Akamai, and Cloudflare. For instance, Cloudflare reported a hyperscale attack in February 2023 that peaked at 71 million RPS. However, these attacks only last for a few seconds to a few minutes. In contrast, the attacks we observed from Anonymous Sudan did not exceed 1.8 million RPS, but they maintain this high level for an extended period.

Additionally, Anonymous Sudan diversifies its attack techniques by alternating HTTPS attack waves with UDP and SYN floods. These floods originate from approximately 10,000 unique source IPs and can reach up to 600 Gbps. Moreover, the HTTPS connection floods are further enhanced by leveraging HTTP/1.1 connection pipelining and HTTP/2 multiplexing. They also employ a Content Delivery Network (CDN) cut-through technique by appending random characters to each request. The infrastructure for these attacks involves the same SOCKS network used for HTTPS attacks, and the servers used range from those running Squid in a forward proxy configuration on Ubuntu to compromised Mikrotik routers with SOCKS enabled.

This example underscores the growing complexity of threat actors who consistently refine their tactics, employing anonymous proxies for targeted attacks. Consequently, ongoing vigilance coupled with adaptive security strategies is essential for a robust cybersecurity defense.

Summary

Radware employes various techniques in its core algorithms to make sure proxy obfuscated bad actors would still be flagged as attackers and will be blocked. Of course, that cannot happen based on IP alone given that the IP is the proxy IP and may be serving other legitimate clients. Radware behavioral BDoS and as well as Radware unique Web DDoS mitigation algorithms are agnostic to proxies and provide perfect protection for this scenario. For additional information on Radware DDoS mitigation devices see Radware.com.

[*1]: Source: Radware 1H 2023 Threat Report.

[*2]: Types of Anonymous Proxies