2

I recently noticed a huge amount of downloads made through my IP (iknowwhatyoudownload.com). On the website abuseipdb.com, I discovered some reports of abusive behavior.

So I started an investigation with other users of my ISP and found out that everyone has the same problem. I found everyone's IP on public proxy server lists. I tried to connect to these servers myself and it was something extremely simple: I just typed in the IP and used port 8080 and it immediately worked. Initially I suspected some malware on my PC, but after seeing that so many other people are being used (maybe all of this ISP's customers), I believe it might be a different situation.

Does anyone know what the possible explanations are?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Lioncourt
  • 23
  • 5
  • It might be malware on some device in your network (including your router). It might be something you deemed innocent, like a free VPN service you have installed. – Steffen Ullrich Aug 29 '21 at 04:20

2 Answers2

1

Assuming you're behind a router and using NAT (Network Address Translation; almost all home networks unless they're IPv6 only), the proxy is almost certainly running on your router. ISP-provided routers are usually pretty bad, but one running an open proxy is... well, I can't say I've heard of something THAT stupid before. I'm not sure what the ISP stands to gain by it, either (somebody pay them to do this? But who, and why?) so my best guess is simple, sheer, mind-blowing incompetence. Like I said, home routers are usually awful, and while normally that just means "open unsecured management interface on the WAN port, need to be rebooted weekly, last firmware update released in 2014", I suppose it could mean "open unsecured proxy" in your case.

Confirm it is the router first of all, of course, but if it is... well, you have a few options:

  • Call the ISP and complain. They might not do anything, but it's worth a shot. If they don't, that's solid excuse for a public name-and-shame, IMO.
  • Log into the router's management interface and look for anything that looks like "run an open proxy", turn it off.
  • Block the port on the router's firewall, through the management interface (it might work).
  • Find a code execution vuln in your router - it's usually easy, if you have much security knowledge (e.g. the "ping" function is often vulnerable to command injection) and just kill the offending service / block the port via the Linux command line.
  • Just buy a new router (or switch to a less phenomenally incompetent ISP, if possible).
CBHacking
  • 48,401
  • 3
  • 90
  • 130
  • It could also be a VPN like Hola which turned (maybe still turns) the users computer into a proxy which then can be used by others. Or it could be a compromised IoT device inside the network - see Resident Evil: Understanding Residential IP Proxy as a Dark Service. – Steffen Ullrich Aug 29 '21 at 06:30
  • @CB you are missing the step of confirming that the traffic is actually coming from the user's router or machines. The OP is connecting to an IP. It is not known *what device* is responding with that IP. It might not be the customer's devices at all. – schroeder Aug 29 '21 at 08:04
  • @schroeder Ctrl+F "Confirm it is the router". I guess I could add some steps about doing that but I definitely didn't miss the step! – CBHacking Aug 29 '21 at 08:25
  • But you jump straight into assuming it is the router. You don't include what it could mean if it is not the router. "the proxy is almost certainly running on your router" – schroeder Aug 29 '21 at 08:29
1

It might be your IP. It might not be your devices.

Many ISPs block or limit incoming connections to residential IPs. The ISP doesn't want home users standing up services that might end up with high volumes of incoming traffic. They might route the incoming traffic to their own services instead. So, in these cases, although the traffic is sent to the IP assigned to your home, the connection is not to your home.

Some ISPs in the past have even set up fake or deceptive P2P nodes so that when people try to connect to residential IPs, they connect to the ISP so that the ISP can collect data and punish the "pirates". So, these IPs end up on abuse lists and open lists of available IP to connect to because the ISP wants them advertised.

It might be your devices

I consider it unlikely that an entire swath of an ISP has open proxies on their residential customer's networks, but it would not be out of the question if there is a common vulnerability in the ISP's routers.

If this is the case, then the proxy would more likely be on the router and not on devices within the customer's networks.

One more step

So, while you have done a lot of investigation into these IPs, you need to go just one step further. You need to see if your router is seeing the traffic.

  • connect to <neighbor IP>:8080 from your IP and check that router's logs for the traffic
    • if you try to connect to your own IP from inside your own network, you might get inconclusive results
  • check the router for any proxy settings or services set up on port 8080 or port forwarding to that port
  • check the traffic within your network with a packet capture tool, like Wireshark, to look for proxy traffic on that port
  • try to scan the IP with a network scanner to learn more about it
    • you might see different hardware/device results on different ports on the same IP, which will be an indication that traffic to different ports are going to different destinations
  • factory reset the router and try to connect

This data gathering will help you narrow down what is actually going on.

schroeder
  • 129,372
  • 55
  • 299
  • 340