You'd think I'd be smart enough not to leave any holes open, but there you go. I accidentally left a caching proxy Web server running on a Macintosh on my network, and, sure enough, within a few weeks, someone probing found it and started attacking through. I count 5,000 unique addresses sending thousands upon thousands of queries that are all illegitimate: retrieving porno sites, logging into Yahoo accounts, etc. All static URLs, from what I can tell. The goal is to run Denial of Service on the remote sites as well as flood my bandwidth.
The pattern was determined from looking at our router stats via the MRTG tool that takes five-minute snapshots. I couldn't figure out what kind of attack would flood inbound and outbound traffic to the same extent. Of course, a proxy would: the remote retrieval and then the remote transmission (back to the request location) would be the same size.