Proxy Attack?
I review the Dimension logs every morning, when I get to the office. This morning, I think that I uncovered an attempted Proxy Attack. All the activity is on port 80 and starts with an apparent connection to http://azenv.net, which is not associated with my IP public address. There is a later attempt to go to http://www.google.com:443. All of these packets are allowed by the Firebox.
The reason for the 203.0.113.10 addresses is that the DMZ firewall is behind another one. The source IP address, 20.185.221.226, is Microsoft.
Here are the log entries for the three second period:
2020-07-29 03:36:40 FWAllow, Allowed, pri=4, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, dst_ip_nat=172.30.78.7, src_intf=0-External, dst_intf=3-DMZ, rc=100, pckt_len=52, ttl=105, pr_info=offset 8 S 2103205826 win 32, 3000-0148, geo_src=USA
2020-07-29 03:36:40 ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=525, proxy_act=HTTP-Server.Standard.WEB, rcvd_bytes=12003, sent_bytes=172, elapsed_time=0.005369 sec(s); op=GET, dstname=azenv.net, arg=/, 1AFF-0024, src_ctid=ffff8008734bf900; dst_ctid=ffff8008734bf900; out_port=60255; srv_ip=172.30.78.7; srv_port=80, geo_src=USA
2020-07-29 03:36:40 ProxyMatch, ProxyAvScan: HTTP Content Type match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=599, proxy_act=HTTP-Server.Standard.WEB, rule_name=Default, content_type=text/html, 1AFF-0018, geo_src=USA
2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=Proxy-Connection: Keep-Alive\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA
2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=Host: azenv.net\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA
2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA
2020-07-29 03:36:40 ProxyMatch, ProxyReplace: HTTP Content Action redirect, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=591, proxy_act=HTTP-Content.Standard.CNWeb, 1AFF-003A, redirect_action=HTTP-Server.Standard.WEB; srv_ip=172.30.78.7; srv_port=80, geo_src=USA, client_ssl=NONE; server_ssl=NONE
2020-07-29 03:36:40 ProxyMatch, ProxyReplace: HTTP Request content match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=591, proxy_act=HTTP-Content.Standard.CNWeb, rule_name=Default, dstname=azenv.net, arg=/, 1AFF-003B, srv_ip=172.30.78.7; srv_port=80; redirect_action=HTTP-Server.Standard.WEB, geo_src=USA
2020-07-29 03:36:42 ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=525, proxy_act=HTTP-Content.Standard.CNWeb, rcvd_bytes=0, sent_bytes=91, elapsed_time=0.000266 sec(s); op=CONNECT, dstname=www.google.com:443, arg=, 1AFF-0024, src_ctid=ffff8008734bf480; dst_ctid=ffff8008734bf480; out_port=60707; srv_ip=172.30.78.7; srv_port=80, geo_src=USA
2020-07-29 03:36:42 ProxyMatch, ProxyDeny: HTTP request method match, pri=6, disp=Deny, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=595, proxy_act=HTTP-Content.Standard.CNWeb, method=CONNECT, rule_name=Default, 1AFF-001A, geo_src=USA
2020-07-29 03:36:43 FWAllow, Allowed, pri=4, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, dst_ip_nat=172.30.78.7, src_intf=0-External, dst_intf=3-DMZ, rc=100, pckt_len=52, ttl=106, pr_info=offset 8 S 2129274828 win 32, 3000-0148, geo_src=USA
There is no other activity from this IP address on port 80 or port 443.
A few questions:
1. What is src_ctid=ffff8008734bf480; dst_ctid=ffff8008734bf480?
2. Was this attack successful or was it just a probe?
3. Any other thoughts?
Adrian from Australia
Comments
http://azenv.net/ is a proxy judge
What is a Proxy Judge?
https://www.proxynova.com/proxy-articles/list-of-proxy-judges/
Looks to me that something at MS is doing research. No idea why.
Perhaps looking for malware sites ?
https://www.sans.org/reading-room/whitepapers/malicious/tracking-malware-public-proxy-lists-33604
Thanks Bruce.. I will see if it happens again.. Very upsetting..
Adrian from Australia