Detecting Intermediary Hosts by TCP Latency Measurements

Use of intermediary hosts as stepping stones to conceal tracks is common in Internet misuse. It is therefore desirable to find a method to detect whether the originating party is using an intermediary host. Such a detection technique would allow the activation of a number of countermeasures that would neutralize the effects of misuse, and make it easier to trace a perpetrator. This work explores a new approach in determining if a host communicating via TCP is the data originator or if it is acting as a mere TCP proxy. The approach is based on measuring the inter packet arrival time at the receiving end of the connection only, and correlating the observed results with the network latency between the receiver and the proxy. The results presented here indicate that determining the use of a proxy host is possible, if the network latency between the originator and proxy is larger than the network latency between the proxy and the receiver. We show that this technique has potential to be used to detect connections were data is sent through a TCP proxy, such as remote login through TCP proxies, or rejecting spam sent through a bot network.