Project Satyr

Project Satyr: Finding Bad Guys Hiding Behind Proxies (and having fun in the meantime)

In our last post, we talked about Floe, our new Layer 7 proxy that’s currently in Alpha. We want to provide Floe with some IP intel. That’s where Project Satyr comes in.

Part 1: Sharing is Caring (Especially IP Intel)

This part is pretty simple, really. We don’t protect the entire internet (yet!), so we don’t see all the attacks. But other people do!

So, we’re teaming up with other cool security folks (the very cute ones we mentioned before) who also run proxies and protection services. We’re setting up a system to share lists of IP addresses that have been naughty on their networks or ours.

• What we share: Basically, lists of IPs known for DDoS.
• Why: More eyes see more things. If an IP attacks one of our partners, we can know about it before it attacks us, and vice-versa. This means Floe (and our partners’ systems) can block or challenge these IPs faster and more effectively. Strength in numbers, or something like that.

Part 2: The Honeypot Proxy Thingy - Now It Gets Spicy

Attackers love proxies. SOCKS5, HTTP proxies, whatever they can find. And then they use them to attack your website, all you see is the IP address of the last proxy in the chain. Trying to report that IP is often useless – it might be a compromised machine, a legit public proxy service, or just gone by tomorrow. You almost never get the real source IP of the attacker.

We thought, “That’s annoying.” So, we’re doing something about it.

We’re setting up a bunch of our own proxies. These will look and act like regular SOCKS5/HTTP proxies that an attacker might find and use. But here’s the trick:

1. They Look Normal: Attacker finds our proxy, thinks “Cool, free proxy!” (they don’t actually say that).
2. They Are Not Normal: Under the hood, these proxies are basically honeypots. They perform Man-in-the-Middle (MITM) inspection. Yeah, we’re watching the traffic (for security research and to catch bad guys, obviously). We log everything – especially the source IP connecting to our honeypot.
3. The “Aha!” Moment: The honeypot constantly checks where the traffic passing through it is going. If the destination IP belongs to us (Voxga) or one of our Project Satyr partners… BINGO!
4. Alert! Alert!: The honeypot sends us (or the partner being targeted) an alert. This alert contains the target IP, maybe some info about the request, and crucially: The Attacker’s Source IP Address.

Let’s Draw It Out (Poorly)

Here’s the usual way, which sucks for defenders:

+-------------+        +----------------+        +-----------------+
| Attacker    | -----> | Random Proxy   | -----> | Your Website    |
| (Real IP: A)|        | (IP: P)        |        | (Sees IP: P)    |
+-------------+        +----------------+        +-----------------+
                                                       |
                                                       v
                                                 "Who is IP 'P'? Idk."
                                                 Attacker IP 'A' is hidden.

And here’s how it works with our Satyr Honeypot Proxy:

+-------------+        +--------------------+        +-----------------+
| Attacker    | -----> | Satyr Honeypot     | -----> | Your Website    |
| (Real IP: A)|        | Proxy (IP: H)      |        | (Sees IP: H)    |
+-------------+        | (MITM + Logging)   |        +-----------------+
                       +--------------------+
                             |      ^
[Destination Check:   ALERT! |      | Target Matched!]
It's us/a partner!] ---------+      +------------- You still see 'H',
                             |                     but WE get notified...
                             v
                  +-----------------------------+
                  | Alert Sent to Voxga/Partner |
                  | Target: Your Website IP     |
                  | Source: ATTACKER IP ('A')   | <--- GOTCHA!
                  +-----------------------------+

So What’s the Point?

This honeypot system means:

• Real IPs: We stop chasing proxy IPs and get the potential source IP of the attacker.
• Better Reporting: Reporting Attacker IP A to their ISP is way more effective than reporting Proxy IP P or Honeypot IP H.
• Money (the actual reason): This makes it so attackers don’t attack us, instead they attack someone else, the websites stop using the someone else’s protection and start using ours, we get richer.

We’re not claiming this honeypot idea is 100% unique in the history of the universe, but we haven’t seen any blogposts about it, so…

What’s Next for Satyr?

We’re starting Project Satyr with 10 of these honeypot proxies scattered around. We’ll see how it goes – maybe we’ll add more, maybe 10 is enough for now. We’re also actively talking to potential partners to join the shared IP intel part. If you run a security service and think sharing intel sounds like a good idea (and maybe you’re very cute), get in touch.

For the attackers reading this: Maybe find a new hobby?

Stay tuned for more updates!

Authored by Sakura