1

If an attacker uses proxy list from a US based company, investigators can use the logs to retrace the attacker's real IP address (even if the proxies are in China, logs should be kept).

If the company was based elsewhere, no diplomatic relations with the US/Europe, no logs.

What can an investigator do in this case (not the NSA)?

Particularly, is the proxy chain reversible in some other fashion or will the investigators be forced to follow other leads?

Alas, I couldn't find much info from the perspective of normal security investigators, but I did find:

However, these are not exactly my question.

Lumon
  • 13
  • 5

1 Answers1

2

Things that come immediately to mind -

  • Whilst the proxy operator might not keep logs the ISPs may. Especially if they have been asked to for a specific site / user by authorities.
  • Even if they can't see the entire route on the parts they do they could attempt packet matching. Especially if sending something of a particularly unique size.
  • If they control the remote server they could attempt browser fingerprinting or exploitation.
  • If they suspect you then they can attempt to prove your machine has visited that site - i.e. if you have a file that has come from it or it is contained in your browser cache.
Hector
  • 10,923
  • 3
  • 41
  • 44
  • Very interesting, thanks a lot! regarding packet matching, if your machine (the victim) received a unique packet, and some host on the network or even a national ISP saw such unique packet sent (to china for that matter), this is how packet matching is done? – Lumon Dec 08 '17 at 15:49
  • @Lumon - See here - https://blog.torproject.org/traffic-correlation-using-netflows – Hector Dec 08 '17 at 16:08
  • I get it, nice read. Are the 4 methods you mentioned employed outside of national agencies? Or security investigation is not exactly a career to pursue? – Lumon Dec 08 '17 at 16:22
  • @Lumon - For network based attempts outside of research labs not as far as I am aware but I imagine in several jurisdictions it would be technically possible for a judge to order any present ISP logs etc. are released to investigators. With regards to browser fingerprinting and browser exploitation I can see high motivation for certain sites to identify their own users against their wishes - so it would not surprise me if it is actively attempted. Browser fingerprinting is widespread in ad networks (although the Tor Browser has some protections from this). – Hector Dec 08 '17 at 16:28