4.1 million proxies!

Almost a month after the 4,000,000 mark, that's about right. 100K proxies per month is a little high, just a little above average.

Here's the thing: that 0.1 million is 100% TCP port 8909 proxies.

Between midnight August 1st and this very moment (6AM on the 28th) I've snarfed up 105,272 of these suckers. That's over 2.5% of the entire database.

It looks like I was right about the demise of port 9415. Those boxes are gone. Here are the daily numbers from April 1st to now.

I am still looking for the port 8909 culprit. I downloaded QQPlayer_Setup_32_845.exe from "somewhere in China" and installed it on a VM to see if it opened up port 8909, but it didn't. It was a good suspect because it came out in June. Here it is...

Since it's in Chinese, running it is something of an issue for me. Even though this thing didn't open up port 8909, it does have some kind of built-in proxy capabilities. Take this DLL for example:

It's even signed by Verisign! Anyway, taking a quick peek reveals some interesting details (click for a larger view):

The presence of CStunClient and CStunSvr struck a note. "STUN" means "Session Traversal Utilities for NAT" and you can read all about it here. The problem is, STUN is typically a UDP thing whereas proxies (besides SIP proxies) use TCP. Still... it looks like a smoking gun.

Otherwise, the Youku/Tudou/QQ hegemony has been making a lot of news lately. Take this article for example. You may recall Tudou was responsible for port 9415.

This month I have learned that these proxies have more staying power than their port 9415 predecessors, which tended to disappear forever after they were gone. They do disappear, but they can come back after a few days. This means all those "dead" proxies that never made it into the gold table (over 88,000 timed out or the port was closed when they were first scraped) may still be usable.

Back in the USA, the SOCKS proxies march on, with the notable exception of port 27977. What is going on there?

Apparently this was the TDSS rootkit. This is one of the few sources I have found that specifically link TDSS with port 27977. TDSS was a tool leveraged by the Rustock botnet, which was taken down in March.

So you can put a fork in that one.

The Last Days of Port 9415?

I just ran some quick numbers on the proxy database to see what's going on with ports 8909 and 9415. I did a couple of blog entries in May and June about port 9415, but I dropped the ball in July and then got distracted by port 8909 the first week of August.

What I found was this...


Port 9415 (blue) is indeed dropping like a rock and port 8909 (red) is becoming the dominant port.

Considering the source—public proxy lists—I have to wonder whether the proxy scanners have given up on 9415 or whether 9415 has simply run its course. With that in mind I looked at Dshield's data.


meh.

Hard to say. The "Target" line (green) reveals attempted port scans. Dshield gets their data from network dweebs who think their firewall logs are meaningful in some way, so their results are screwed skewed.

Here is Dshield's report on 8909...


Once again, we're looking at the green line. And once again... meh

Too bad there isn't a Chinese Dshield.

Have the scanners given up on port 9415? I would have to say no, but considering how awful those proxies were, I wouldn't blame them if they dropped 9415 in favor of the vastly superior port 8909 proxies. 9415 is just one number in a list of 65,535 numbers, and—trust me—they're scanning all of them.

I think there's some kind of real effect going on here. It would be nice if it was a result of my April disclosure about PPLiveAV, but it could be something else entirely.

Only about 750 unique addresses have been seen listening on both ports. Whether this is simply "DHCP churn" or users running both clients concurrently is unknown, but if it were a mass migration from the PPLive player to the Youku player, you'd think there would be more dual port database hits. However, from my research—which is limited at this time—I don't believe that the client software is interchangeable.

Time will tell where this trend is headed, but it's been less than a month since port 8909 showed up with the daily numbers it has now. If PPLiveAV was fixed, the "lessons learned" were lost on the developers of the Youku client software.

TCP Port 8909 Proxies

If you've been paying attention to the Proxy List you will have noticed the ramp up of Chinese proxies on port 8909.

In May, I pulled a paltry 32.

Things picked up in June. I scraped up 185.

In July things took off for port 8909, with a grand total of 23807.

Less than a week into the month of August, I have over 16,000 new ones!

At this point I have only scraped the surface of this, but it appears to be a mobile product called Youku player. You can download the Android version here if you dare.

Once again, like port 9415, these things come and go.

But they're not going away.

UPDATE 9:30AM

Unlike their cousins on port 9415 these are actually pretty damned good High Anon proxies. The speed is great. None were blocked by 4chan, which is highly unusual for any proxy. It seems like those in Shanghai are the most reliable, but that's just my first impression.  YMMV.

Government spooks and contractors take note: you can use these to stage your false flag attacks!

UPDATE 08/07/2011 7:30AM

I pulled 3,268 of these proxies since midnight. Out of those, 116 were alive. That's a 3.5% live hit rate, which is about 3.5 times the usual live hit rate for public proxy lists (1 out of 100 is typical).

At this rate—assuming they don't fix it—August should end with over 60,000 of these proxies.

And, so far, they have staying power. I routinely overcheck all Chinese proxies, since they historically have been so ephemeral. This is why the List expands and contracts during the day.

UPDATE 08/09/2011 5:50AM

Wow. August's count is already past July's, with 27,190 of these proxies scraped since the first. The List is 20 pages long and 79% of the proxies are 8909'ers.

Just... wow.