We used a specific method to detect if an attacker was using a proxy. RDP records the attacker’s IP address, the time they attempted to log in, and the credentials they used. Once the attacker connects to our RDP honeypot, it reveals more information about their real location, such as their internal IP address and time zone. By comparing these internal details with the external IP address provided, we can determine whether a proxy is being used or not. Also check comprehensive proxy detection database
Since 2019, our honeypots have recorded 57 million login attempts. Out of those, only 1,774 attempts were successful. Narrowing this down to unique IP addresses and filtering out incomplete data, we ended up with a final dataset of 253 IP addresses, which we used to test various proxy detection tools.
The tools we tested showed a wide range in the number of IP addresses flagged as proxies. Some flagged many, while others flagged very few. However, simply flagging an IP address doesn’t necessarily mean the tool is accurate. We needed to look at the number of true and false positives, meaning how often the tool correctly identified proxies.
One of the tools identified the highest number of proxies, but only 75.93% of those flagged were accurate. Others performed slightly better, with accuracy rates between 78% and 81%. The most accurate tools were paid options, with one reaching an accuracy of 94.12%. These tools, though more precise, flagged fewer IP addresses as proxies compared to the others.
In addition to proxy detection, these tools offer other features. For example, some assess the reputation or trustworthiness of IP addresses. In our test, many IP addresses were wrongly marked as “harmless,” even though they had attempted to log into our honeypots, showing the limitations of this feature. Another tool provided an “abuser score” for each IP address, meant to show how likely an IP is to be involved in abusive activities. Surprisingly, many of the IP addresses received very low abuser scores, which didn’t reflect their actual activity in our system, where many IPs attempted thousands of attacks.
One reason for these inaccuracies could be that these features rely on user submissions, where people report IP addresses as abusive or malicious. This process can sometimes be slow or unreliable, which explains why some IPs are incorrectly labelled. It is also difficult to remove an IP address from a blacklist once it has been flagged, making the process even more challenging.
In conclusion, detecting proxies is a complicated task due to the ever-changing nature of the internet. The tools we tested varied greatly in their accuracy, with the most reliable being the ones that balanced the number of flagged proxies with the accuracy of the information. Going forward, we plan to use the most reliable tools to study the behaviour of attackers who use proxies versus those who do not. This analysis will help us better understand how attackers hide their identities and what methods are most effective in identifying them.
