LOW: Accessible HTTP Proxy Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: LOW

Introduction

This report identifies accessible HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse.

If you want to obtain a list of only open proxies (ones not requiring authentication), use the Open HTTP Proxy Report.

How we scan

We search for both open HTTP proxies (ones not requiring authentication) and closed proxies (requiring some form of authentication).

Target URL we are trying to proxy to is api64.ipify.org.

We search for services that proxy HTTP CONNECT or HTTP GET requests.

We do not perform any intrusive checks on a discovered service.

As of 2023-03-30, we identify 1.35M accessible HTTP proxies.

Dashboard

You can track accessible HTTP proxies on our Dashboard here.

You can also track for specific proxy types using `http_proxy` and `http_proxy6` as a source. For example, this query lists all closed proxies we find with HTTP CONNECT.

Mitigation

If your HTTP proxy service is accessible publicly unintentionally and you receive this report from us for your network or constituency make sure to firewall traffic to this service.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: population_http_proxy, population6_http_proxy

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that response came on (always TCP)
port

Port that the response came from (typically 3128/tcp, 1080/tcp, 8080/tcp etc)
hostname

Reverse DNS name of the device in question
tag

Tag set to http-connect-proxy and/or http-connect-proxy-closed. http-connect-proxy is set for open HTTP proxies (not requiring authentication).
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
sic

Standard Industrial Classification System Code
http

Hypertext Transfer Protocol Version
http_code

HTTP Response code: e.g., 200, 401, 404
http_reason

The text reason to go with the HTTP Code
content_type

The MIME type of the body of the request
connection

Control options for the current connection and list of hop-by-hop request fields
proxy_authenticate

The authentication method that should be used to gain access to a resource behind a proxy server
via

General header added by proxies
server

HTTP Server type
content_length

The length of the response body in octets
transfer_encoding

The form of encoding used to safely transfer the entity to the user
http_date

The date and time that the message was sent

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","sector","asn","geo","region","city","naics","hostname_source","http","http_code","http_reason","content_type","connection","proxy_authenticate","via","server","content_length","transfer_encoding","http_date"
"2010-02-10 00:00:00",info,192.168.0.1,tcp,10001,node01.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:00 GMT"
"2010-02-10 00:00:01",info,192.168.0.2,tcp,10001,node02.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:01 GMT"
"2010-02-10 00:00:02",info,192.168.0.3,tcp,10001,node03.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,ptr,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:02 GMT"

Our 131 Report Types

« Back to Network Reporting