MEDIUM: Open HTTP Proxy Report

DESCRIPTION LAST UPDATED: 2023-12-12

DEFAULT SEVERITY LEVEL: MEDIUM

Introduction

This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse.

This report concerns open HTTP proxies only, ie. ones that do not require authentication. For all accessible HTTP proxies, check out the Accessible HTTP proxy report.

How we scan

We search for open HTTP proxies (ones not requiring authentication).

We search for services that proxy HTTP CONNECT or HTTP GET requests.

Target resource we are trying to proxy to is api64.ipify.org.

We do not perform any intrusive checks on a discovered service.

As of 2023-03-30, we identify 68K open HTTP proxies.

Dashboard

You can track open HTTP proxies on our Dashboard here.

You can also track for specific proxy types using `http_proxy` and `http_proxy6` as a source. For example, this query lists all open proxies we find with HTTP CONNECT.

Mitigation

If you receive this report from us for your network or constituency you should investigate the presence of the open proxy. You may want to implement authentication or filter traffic to the service.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

This report has an IPv4 and IPv6 version.

 

Filename: scan_http_proxy, scan6_http_proxy

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that the response came from (typically ports 3128/TCP, 1080/TCP, 8080/TCP etc)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to http-connect-proxy
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • http
    Hypertext Transfer Protocol Version
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • http_reason
    The text reason to go with the HTTP Code
  • content_type
    The MIME type of the body of the request
  • connection
    Control options for the current connection and list of hop-by-hop request fields
  • proxy_authenticate
    The authentication method that should be used to gain access to a resource behind a proxy server
  • via
    General header added by proxies
  • server
    HTTP Server type
  • content_length
    The length of the response body in octets
  • transfer_encoding
    The form of encoding used to safely transfer the entity to the user
  • http_date
    The date and time that the message was sent

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","sector","asn","geo","region","city","naics","hostname_source","http","http_code","http_reason","content_type","connection","proxy_authenticate","via","server","content_length","transfer_encoding","http_date"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,10001,node01.example.com,http-connect-proxy,"Professional, Scientific, and Technical Services",64512,ZZ,Region,City,0,,HTTP/1.1,200,"Connection Established",,,,,,,,"Wed, 10 Feb 2010 00:00:00 GMT"
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,10001,node02.example.com,http-connect-proxy,"Professional, Scientific, and Technical Services",64512,ZZ,Region,City,0,,HTTP/1.1,200,"Connection Established",,,,,,,,"Wed, 10 Feb 2010 00:00:01 GMT"
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,10001,node03.example.com,http-connect-proxy,,64512,ZZ,Region,City,0,,HTTP/1.1,200,"Connection Established",,,,,,,,"Wed, 10 Feb 2010 00:00:02 GMT"

Our 131 Report Types

« Back to Network Reporting