Monday, March 8, 2010

Proxy Piercing: "to pierce" or "not to pierce"?

Proxy Piercing has an interesting “marketing spin” to it, but it simply means we can acquire a PC’s actual local IP address.

In order to read a PCs local IP address and deliver it reliably back to your own servers you must execute some native code on the PC e.g. Java applet, a toolbar, or an application which will then send that IP Address back to your own servers using a TCP/IP or UDP socket connection, by-passing the HTTP data stream being sent through the proxy server. This is because all IP addresses that are passed within the x-forwarded-for string will be scrubbed (deleted) by the proxy. Alternate methods for transferring an IP address “transparently” might include methods of encrypting the IP Address using JavaScript or ActionScript into some target data field on the PC that will be transmitted within the HTTP stream’s user-agent-string. But since a “smart” proxy is going to re-write ALL of the attributes within the user-agent string, your encrypted IP data is simply going to get dropped on the floor, and lost! So this fraud management technique comes with challenges.

But is knowing the actual PC’s IP address ultimately beneficial for fraud management? If it was possible to reliably acquire the IP Address transparently (and it’s not a unroutable IP address) the answer is going to be yes only sometimes, and its usefulness is going to be temporary at best. Because, as you probably know, IP addresses are not “owned” by a PC. They are not like license plates assigned to an automobile by the DMV. IP addresses are extremely temporary, assigned by an ISP for a real-time connection. But they can be re-cycled as frequently as every time the user reboots their router e.g. possibly everyday. And when another PC is re-assigned an IP address that you have put on your block-list, then you will introduce a false-positive potentially blocking a good customer. Also if a PC is sitting behind NAT (network address translation) firewall then the PC itself will have an unroutable “local” IP Address e.g. in the range of 192.168.xxx.xxx or 10.x.x.x etc., which will basically tell you nothing.

What I have found in my experience to be the most effective fraud management technique relating to IP Addresses and their subsequent geolocation is to monitor for suspicious activity generated by the use of a proxy server, that is what will be most telling. I look for suspicious velocity changes in geolocation that is the actual result of a fraudster’s activity while using an anonymizing proxy for fraudulent and abusive objectives.

No comments: