LOW: Accessible HTTP Proxy Report

DESCRIPTION LAST UPDATED: 2023-12-07

DEFAULT SEVERITY LEVEL: LOW

Introduction

This report identifies accessible HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse.

If you want to obtain a list of only open proxies (ones not requiring authentication), use the Open HTTP Proxy Report.

How we scan

We search for both open HTTP proxies (ones not requiring authentication) and closed proxies (requiring some form of authentication).

Target URL we are trying to proxy to is api64.ipify.org.

We search for services that proxy HTTP CONNECT or HTTP GET requests.

We do not perform any intrusive checks on a discovered service.

As of 2023-03-30, we identify 1.35M accessible HTTP proxies.

Dashboard

You can track accessible HTTP proxies on our Dashboard here.

You can also track for specific proxy types using `http_proxy` and `http_proxy6` as a source. For example, this query lists all closed proxies we find with HTTP CONNECT.

Mitigation

If your HTTP proxy service is accessible publicly unintentionally and you receive this report from us for your network or constituency make sure to firewall traffic to this service.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

 

Filename: population_http_proxy, population6_http_proxy

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically 3128/tcp, 1080/tcp, 8080/tcp etc)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to http-connect-proxy and/or http-connect-proxy-closed. http-connect-proxy is set for open HTTP proxies (not requiring authentication).
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • http
    Hypertext Transfer Protocol Version
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • http_reason
    The text reason to go with the HTTP Code
  • content_type
    The MIME type of the body of the request
  • connection
    Control options for the current connection and list of hop-by-hop request fields
  • proxy_authenticate
    The authentication method that should be used to gain access to a resource behind a proxy server
  • via
    General header added by proxies
  • server
    HTTP Server type
  • content_length
    The length of the response body in octets
  • transfer_encoding
    The form of encoding used to safely transfer the entity to the user
  • http_date
    The date and time that the message was sent

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","sector","asn","geo","region","city","naics","hostname_source","http","http_code","http_reason","content_type","connection","proxy_authenticate","via","server","content_length","transfer_encoding","http_date"
"2010-02-10 00:00:00",info,192.168.0.1,tcp,10001,node01.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:00 GMT"
"2010-02-10 00:00:01",info,192.168.0.2,tcp,10001,node02.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:01 GMT"
"2010-02-10 00:00:02",info,192.168.0.3,tcp,10001,node03.example.com,http-get-proxy-closed,,64512,ZZ,Region,City,0,ptr,HTTP/1.0,407,"Proxy Authentication Required","text/html; charset=utf-8",close,"Basic realm=\"\"proxy\"\"",,,,,"Wed, 10 Feb 2010 00:00:02 GMT"

Our 132 Report Types