Deploying a proxy server doesn’t indicate that a connection is a cybersecurity occurrence. Nevertheless, forensic professionals and law enforcement investigators will find it advantageous to know that adversaries running a proxy may actually be increasing their detection rates as proxies may assist in identifying the attacker’s precise location.
Once you have created a cloud application, you gain universal perceptibility irrespective of the potential adversary’s country, though particular proxy vendors allow any individual to use their services which increases the probability that cyber attackers may be utilizing such proxies. These proxy IP addresses reach extensive spam lists that you may then employ to block or rate limit transactions on your website. In spite of the application’s fundamental language, you may identify a transparent proxy and log the originating IP address for additional investigation shall an investigation occur.
Transparent Proxies vs Anonymous Proxies
Prior to you determining whether to depend on proxy logs and client IP addresses, you are required to comprehend the dissimilarities between a transparent proxy and anonymous proxies. It would not be possible for you to retrieve the original IP address from a completely anonymous proxy due to it never getting dispatched to your application server.
Anonymous proxies act as servers that allow users to connect and draw website content utilizing the proxy server’s IP address without dispatching supplementary server heading variables that suggest a proxy connection. What you perceive on your application server is the anonymous proxy’s IP address and the lack of original user’s IP address. Such proxies display no indications of even being a proxy and resemble a conventional connection once you examine traffic audits.
Nonetheless, you may prevent these proxies from accessing your application if you purchase lists of IP addresses associated with the most dreadful perpetrators. The proper time to consider such lists is when you find that a large proportion of traffic is malicious. For conventional installers like WordPress and Joomla, you may download plugins to assist you with blocking IP addresses recognized for spam.
Transparent proxies forward the original IP address out of the user. Consequently, you may log it and detect the real IP location and internet service provider (ISP). IP logging is deployed for numerous reasons like information security, establishing traffic patterns, tracking, acquiring understandings of customer trends, and application cookies. Utilizing a proxy server doesn’t decisively render the user malicious, yet it’s a method for identifying an adversary should you discover skeptical activity on your application.
In the event that you perform a reverse lookup on any IP, you cannot always recognize a transparent or anonymous proxy. Location and DNS lookups may assist you with deciding if it may be a proxy, but the majority of server administrators fail to invest their time and effort into this kind of detection unless a security occurrence is continuous. Developers may take advantage of server header variables and log the data that in turn discovers a proxy server.
Discovering Proxies In Your Web Application Code
Provided that the traffic connection on the server of your application is using a transparent proxy, the application will acquire two IP addresses: the original IP and the proxy server IP. Once these two IPs don’t match, then you’ll recognize that you hold a proxy connection. An anonymous proxy doesn’t transmit these supplemental server variables. Hence, if you recover values for them, the outcome will be null.
Numerous server header variables establish a proxy server.
Each and every number of these might get forwarded by the proxy server. Therefore, you must check each of them for any value apart from the IP logged by the server. Employ the “REMOTE_ADDR” server variable to identify the IP address connecting to your server. For instance, in a proxy connection scheme, that would return the proxy address rather than the original IP address.
One method for detecting a proxy is to obtain an IP address from the REMOTE_ADDR server header and contrast it to every server variable listed below. The following PHP code permits us to perform this:
The aforementioned code we constructed illustrates that the loop departs over every server header that suggests a proxy and contrasts it to the remote IP address saved in the $remote_ip variable that deploys REMOTE_ADDR. In the event that the server header is set and it fails to equal the IP in $remote_ip, then the application presupposes the sender is deploying a proxy. You may employ this code snippet to carry out any amount of activities based on this detection. You may choose to log an event on your server, block the connection, or utilize the origin IP to serve as the user location.