The Patsy Proxy: Getting others to do your dirty work
Patsy (slang) - A person easily taken advantage of, cheated, blamed, or ridiculed.
My girlfriend (@savagejen) and I will be presenting at Derbycon this year about some research we've done into systems not configured as proxies, but which will pass traffic for you anyway. To understand the concept better, let's look at an example: Google Translate.
If you put a URL into Google Translate, it will go and fetch the page, then translate it using the languages you specify. If you were to launch attacks at the site using the Google Translate interface, the originating IP found in the web logs would be Google's, not yours!
This is just one example of a system that will pass traffic for you. There are many, many systems out there which will operate in similar ways.
The first obvious implication here is one for incident responders. It may be convenient to say that the IP which you found in your logs is owned by the person who attacked you. It is even more convenient to say so when the machine tied to that IP does not run any sort of traditional proxy service. However, it's not necessarily true.
Another danger associated with these "patsy proxies" is that since the application owner likely isn't aware that their application can act as a proxy, they might not go through the normal hardening steps to prevent abuse of that proxy. One potential danger of this is allowing network boundaries to be violated and firewalls to be traversed. An application which can act as a proxy might actually present a vulnerability which allows an external attacker to lay waste to internal systems!
To learn more about what systems can be used in this way, their potential for abuse, and the implications of all this hullaballoo, come watch "The Patsy Proxy: Getting others to do your dirty work" at Derbycon this year.
All trademarks are copyright their respective owners. The appearance of trademarks doesn't imply any association with their owners. Please don't hurt me with your legal hurty stick.