[Plug-security] Is it appropriate for anonymous proxy servers to surreptitiously run IDENT?

Samizdatt plug-security@lists.PLUG.phoenix.az.us
Fri, 30 Nov 2001 17:08:10 -0500 

Is it appropriate for anonymous proxy servers to surreptitiously run IDENT, which basically attempts to collect as much information as possible from the host computer making the request through the anonymous proxy? Why do a IDENT check at all? Isn't anonymity the point of using a proxy server in the first place?


****************************
http://www.robertgraham.com/pubs/firewall-seen.html

"(113 identd/auth) This is a protocol that runs on many machines that identifies the user of a TCP connection. In standard usage this reveals a LOT of information about a machine that hackers can exploit. However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP, and IRC servers. In general, if you have any clients accessing these services through a firewall, you will see incoming connection attempts on this port. Note that if you block this port, clients will perceive slow connections to e-mail servers on the other side of the firewall. Many firewalls support sending back a RST on the TCP connection as part of the blocking procedure, which will stop these slow connections." 
*****************************


Additionally, wouldn't it be quite misleading to the users of the anonymous proxy if the company or individual hosting the proxy were to execute the IDENT requests from an "unknown host" without a DNS name? It could be a stealthy way of identifying, logging and archiving the identity of individuals using the proxy that they thought was masking their identity, but in actuality, the anonymous proxy was effectively spying and recording their surfing habits by linking their surfing habits with the users identity gained with the "unknown hosts" IDENT information. 

Many users wouldn't have the time to track down the holder of the "unknown host" making the IDENT requests, but if the "unknown host" had a DNS name to identify itself as making the IDENT requests, many of the proxy's users would be able to kindly ask why the owner of the proxy was attempting to discover as much as possible about the proxy users true identity. I would assume that most users would seriously consider using another anonymous proxy if the explanation was somehow lacking in specifics and reason.

I personally block both TCP & UDP from port 113 on my host to restrict as much information as possible from being revealed to crackers.

*****************************
Reason to be paranoid:
http://www.zeltser.com/sans/gcih-practical/revmalw.html

"A variant of the srvcp.exe trojan, discussed in this document, was brought to the
attention of the defense community by Jeremy L. Gaddis on 8 June 2000. In his posting to
the Incidents mailing list, Jeremy reported noticing inbound connection attempts to TCP
port 113 from an unknown host on the Internet, as well as unauthorized outbound
connection attempts to a remote server on destination TCP port 6667.[JLG] Investigating
the incident, Jeremy discovered the trojan's ties to an Internet Relay Chat (IRC)
network, as described in his message:"
*****************************


Since I'm entirely ignorant about the operation of an anonymous proxy server, this may very well be the way they all operate. If this is not the case, I'd really like the owner of the proxy in question to address his reasons for harvesting identifying information.

Thanks...