ProxyPass FAQ

Answers

How does ProxyPass work?
No, ProxyPass is not a hosted script. The software is a custom Apache module written in highly optimized C that loads into your Apache binary. As such, all detection and denial policies are handled on the installed client server. Although the details of its architecture are proprietary trade secrets (and protected as such), it works by monitoring all authentication request details (i.e. network endpoints, packet and protocol header information, username, transferred BW) for compliance with detection thresholds set by the Apache administrator. In addition, the ProxyPass client module queries centralized ProxyPass servers for access to the largest, most up-to-date list of open, abused proxies. ProxyPass client servers do not search for proxies, nor are they doing intensive analysis of network traffic patterns; that work is done on the centralized ProxyPass servers.

What is an "open" proxy?
Open proxies are proxies that have been accidentally, or purposefully, misconfigured to allow anyone to route internet traffic through them without proper safeguards. They serve as often-anonymous intermediaries, masking the original request endpoint from the target server. Open proxies are constantly abused for all manner of fraudulent activities: ddos attacks, spam, phishing attacks, brute-force cracking, etc. "Drone" machines are similar to open proxies, but may not be open or usable by the public at large. Instead, they are closed to all but a small group of individuals who have the necessary control priveleges. Drones are often created when a virus, spyware, or backdoor rootkit infects a target machine, and thereby allows external command and control. Large groups of open proxies and drones together form botnets. Both are identifiable by their fraudulent behavior, a sort of fraud fingerprint.

Are all proxies bad?
No, certainly not. Proxy servers, when correctly used and implemented, are a powerful and necessary tool to improve networking, routing, security, and information caching on the internet. Proxies cannot simply be denied "across the board" precisely because many corporations, universities and ISPs use proxy servers for legitimate purposes. As for AOL and other large ISPs that use proxies for their subscribers: no, ProxyPass will not forbid them because they are proxies. Those proxies are closed to the public and are, in general, configured securely and robustly. When we speak of open, abusable proxies that are used for password cracking, we are speaking specifically of misconfigured proxies.

Is my Apache server querying remote ProxyPass servers for every request?
No, the installed module is not querying the centralized ProxyPass servers for every authenticated request. Your module will build and use a local, fast-lookup cache of proxy information. The centralized data is based upon a highly dynamic, extremely large database of proxies. The database is not "static" and is updated second-by-second.

What if the centralized ProxyPass servers are unreachable?
The ProxyPass client software will still work, and no, your Apache server will not stop handling authenticated requests. If the remote ProxyPass servers are unreachable (e.g. network outage), your Apache module will recognize this and stop querying the centralized servers until they are again reachable. During this time when the centralized servers are unreachable, the client module will still compare for proxies against its own internal cache. Furthermore, it will continue to block suspect requests for the IP-burst, username-burst, password sharing, and bandwidth policy violations. Most important of all, however, is the fact that browsers will -not see any network lag or response slowdown when the centralized servers are out of touch. In short, the browser experience will -not- be impacted.

How do I install and configure ProxyPass?
A ProxyPass support specialist will perform the initial installation and preliminary configuration. ProxyPass is broadly customizable for any Apache environment via custom Apache configuration directives that can be placed in the httpd.conf file or relevant .htaccess files. Although the module comes enabled with a reasonable default set of values for the various configuration directives, administrators can adjust all of these parameters to suit their individual needs. The directives can be scoped to the entire Apache server or to individual virtualhosts. And the ProxyPass client software can be configured to support load-balanced clusters of webservers, allowing for realtime exchange of policy and block information.

Does ProxyPass impact the size and performance of my Apache processes?
The ProxyPass client module is optimized in C for the best possible performance. It will nominally increase each individual Apache child's memory footprint. Rigorous testing and real-world application has not shown any decrease in response speed. In fact, the opposite is true: precisely because the ProxyPass client module is so effective at detecting and denying brute-force password cracking attempts, the performance of your Apache server will increase dramatically.

How will ProxyPass improve my system performance?
During strenuous, real-world password breach attacks, ProxyPass outperforms previous and contemporary products over 10x. For some customers, ProxyPass has decreased the system load averages under heavy attacks nearly 50x. ProxyPass dramatically decreases server load averages because of its highly optimized architecture, optimized network communication with the centralized ProxyPass servers, perfectly functional operation while isolated from the centralized servers, and best-in-class algorithms for attack detection. Quite simply, the software will lower your total cost of ownership on authentication-protected, Apache webservers precisely because it can quickly and accurately spot crack attempts. Furthermore, ProxyPass defends against widespread, distributed attack methodologies that, to date, have been ignored. Lastly, the ProxyPass can significantly reduce peak bandwidth consumption.

What are the ProxyPass system requirements?
The ProxyPass software augments the security of existing Apache authentication and authorization modules. Please note that ProxyPass does not do the password authentication/authorization control itself; rather it works in conjunction with your existing setup. It is compatible with standard and custom modules (e.g. mod_auth, mod_auth_db[m], mod_auth_mysql) that use Apache access, authentication, and authorization control phases. One of these modules must be installed and configured. ProxyPass also requires a UNIX-based, Apache 1.3.x or 2.x server enabled with dynamic shared object support (DSO mod_so.c). ProxyPass has been deployed successfully on many UNIX flavors in both 32bit and 64bit architectures. Of course, the ProxyPass system also requires money.

How effective is the captcha authentication security feature?
If the ProxyPass captcha authentication wrapper is enabled, the random image code displayed on the login form adds some measure of additional protection against brute force attacks and automated software programs that scrape content from a site. These "captcha" images are a type of Turing test, or challenge used to distinguish human browsers from automated software robots. Unfortunately, most captcha images are easily broken by advanced, automated OCR (optical character recognition) algorithms (see Breaking a Visual Captcha). Captchas are also neutralized by enlisting real humans to do the deciphering for a reward, a "free-porn-if-you-solve-the-captcha" sort of approach (see Defeating CAPTCHAs). Captchas can be a helpful deterrent to stopping the more amateurish brute-force attacks that make up a large portion of offending attacks. However, captchas are not sufficiently secure against serious attacks.

Why isn't the captcha code distorted?
As mentioned in the above question, captchas challenges are easily circumvented by automated OCR analysis. A quick look through standard digital image processing texts will show that common distortion techniques such as color blur, text bending, noise degradation, etc do not really make it more difficult for OCR programs to decipher the image code. Highly distorted images and more complicated challenges (i.e. entering three words out of ten that are present in the image) do decrease the success rate of OCR programs. But even if an OCR success rate were reduced by half or more, it would not provide a significant barrier to brute force robots; they would continue to guess. And these type of captchas are still susceptible to the "free-porn-if-you-solve-the-captcha" attack. In addition, the excessively complicated challenges are often problematic because humans also have more difficulty deciphering and solving them. Having said that however, ProxyPass does include configuration options to use scalable font support for the captcha image with varying levels of distortion. A few examples are shown here.

The default captcha authentication form is too plain. Can I customize it?
Yes, the captcha authentication form html layout can be "skinned" using simple HTML templates, on a vhost-by-vhost basis. ProxyPass includes the plain, default authentication form simply as a convenience to our customers; it serves as an efficient and low-bandwidth starting point.

Does ProxyPass have geo-IP mapping features?
Yes, ProxyPass supports country-based threshold policies, in addition to IP subnet policies. Webmasters also gain increased IP-to-country visibility in their block stats and historical logs. These geo-IP features are automatically enabled if the industry-standard (and freely available) mod_geoip Apache module is installed.

Why doesn't ProxyPass use high resolution geo tracking?
The most important answer is that fine-grained geo mapping is not accurate enough, especially for authorization controls. It can be useful for targeted marketing campaigns or similar applications, but anything below the country-level (which ProxyPass supports) is quite inconsistent. Please view the published statistics on accuracy from one of the industry leaders in geo-IP targeting, MaxMind. Notice that the city identification is only 80% accurate in the USA and Canada, as low as 50% in the UK, and around 70% in many large European and Asian countries. What this means is that there are plenty of mistaken mappings; and unreliable mapping leads to mistaken blocks. A secondary reason for not including any mapping below the country-level is that the internet IP space does not map very closely to physical, geographic space. Proxy servers, large web caches, ISP/university/corporate gateways, VPN tunnels, and many other common and legitimate routing setups all create situations where one or many users may look as if they are in a different physical spot from their actual location.

Can I automatically change passwords for members that have been blocked?
Yes, ProxyPass includes API hooks that allow you to trigger scripted events or external applications from within the module. This allows for complete customization and interaction with billing systems and member password storage systems. In addition to automated password changes, we have customers using the API features to customize and aggregate statistics, export to SQL databases, send out periodic email reports, and much more. Our customer support specialists are happy to provide syntax and scripting help for whatever you have in mind.

Can I run ProxyPass at the same time as a competitive script?
Yes, ProxyPass is a low-level C module, fully compliant with Apache standards. It will not interfere with other modules or cgi/php scripts running at the same time, provided that those other programs remain compatible with HTTP standards.