An Extensive Evaluation of the Internet's Open Proxies

TL;DR

This comprehensive study of over 107,000 open proxies over 50 days reveals high unresponsiveness, widespread malicious behavior including cryptojacking and malware injection, and compares their reliability unfavorably to Tor exit relays.

Contribution

The paper provides the first large-scale, detailed analysis of open proxies' availability, behavior, and malicious activities, highlighting their risks and contrasting them with Tor.

Findings

Over 92% of listed open proxies are unresponsive.

Numerous proxies manipulate content for cryptojacking and malware.

Tor relays show no malicious behavior, indicating higher reliability.

Abstract

Open proxies forward traffic on behalf of any Internet user. Listed on open proxy aggregator sites, they are often used to bypass geographic region restrictions or circumvent censorship. Open proxies sometimes also provide a weak form of anonymity by concealing the requestor's IP address. To better understand their behavior and performance, we conducted a comprehensive study of open proxies, encompassing more than 107,000 listed open proxies and 13M proxy requests over a 50 day period. While previous studies have focused on malicious open proxies' manipulation of HTML content to insert/modify ads, we provide a more broad study that examines the availability, success rates, diversity, and also (mis)behavior of proxies. Our results show that listed open proxies suffer poor availability--more than 92% of open proxies that appear on aggregator sites are unresponsive to proxy requests. Much more troubling, we find numerous examples of malicious open proxies in which HTML content is manipulated to mine cryptocurrency (that is, cryptojacking). We additionally detect TLS man-in-the-middle (MitM) attacks, and discover numerous instances in which binaries fetched through proxies were modified to include remote access trojans and other forms of malware. As a point of comparison, we conduct and discuss a similar measurement study of the behavior of Tor exit relays. We find no instances in which Tor relays performed TLS MitM or manipulated content, suggesting that Tor offers a far more reliable and safe form of proxied communication.