About

What is this website doing?

The purpose of this project is to demonstrate that any website or app can detect with high accuracy if a user is using a Proxy or VPN. Aggressive marketing from VPN providers over the last years has created the false impression that VPN's are undetectable and that users can change their geographic location in an unnoticeable fashion. This is clearly wrong!

By passively probing incoming network flows, the detection engine makes a live assessment and estimates how likely it is that the connection is tunneled through a Proxy or VPN. This is possible because Proxies and VPN's have unique cues and patterns in their connection establishment. Active JavaScript signals and server-side (passive) signals are considered by the detection engine.

No IP address block-lists are used to make a detection decision. Every connection is treated as "clean" from the beginning and only if significant proof has been found, a connection is considered to be routed through a Proxy or VPN.

In most cases, the detection engine cannot detect your true IP address (The IP address hidden by the Proxy or VPN). However, in almost all cases, the detection engine interpolates correctly if an anonymization technology is used.

To know wether a specific user is using a Proxy or VPN can be very useful for many use cases. Some examples:

  • Security critical services such as online banking or payment processors might want to know whether a transaction was made by an user with an VPN or Proxy in order to later use this information in the case of fraud.
  • Netflix does not want their users to use a VPN to bypass geographic restriction of media content
  • A market survey company that sells Internet surveys (And pays the people that complete those surveys) might want to verify that a user is really connecting from the country they claim to be in order to guarantee the survey's quality.
Test Detection Engine!

How does Proxy & VPN Detection work on a Technical Level?

Both Proxies and VPN's can be used to hide the real IP address of a device and allow cyber criminals to commit fraud online. However, since the architecture of proxies and VPN's is significantly different on a technical level, the detection of proxies and VPN's has to be treated separately.

Understand Proxy Detection Understand VPN Detection

Nevertheless, on a abstract level, proxies and VPN's behave the same: Both route network traffic over an intermediate server so that the destination believes that the original connection is coming from the proxy or VPN server.

Figure 1: Proxies and VPN's behave essentially the same from an anonymity perspective.

How accurate is Proxy & VPN Detection?

Each signal detection technology suffers from false positives and false negatives. The detection engine from proxydetect.live is no exception, but the accuracy (Above 95%) and recall (Above 85%) of the detection engine is reasonably high and much better than any tool that uses block-list based solutions.

Test Detection Accuracy

It is not recommended to block users based on the score from the proxydetect.live detection engine alone. Instead, it is advised to ask a suspicious user for proof that they are legitimate by:

  • SMS or Call Verification
  • Captcha Verification

Ethics

Detecting anonymization technology is a double edged sword. It can be used for good and evil. There exist many situations in which service providers have a right to know whether their clients are presenting their true origin.

How your IP Address Identifies You

In the World Wide Web, your public IP address is used as an identification number for your network adapter. Essentially all communication in the Internet is taking place over the Internet Protocol (IP). Without your IP address, your communication peers wouldn't know where to send IP packets to. However, at the same time, your IP address can be used to identify you as a person. How does this identification process work in detail?

In many countries across the globe, when you subscribe to a ISP such as T-Mobile or AT&T, regardless of whether you purchase a mobile SIM card or a home Internet package, you have to identify yourself with your passport. For example, in many countries of the EU, you have to provide your identification card when you purchase a SIM card. Therefore, your ISP maps your real identity to the IP address that was assigned to your device at any point in time. Thus, if you commit a cybercrime without using a VPN or Proxy, any website that stores your IP address can contact the authorities, which in turn can request your ISP to reveal your identity.

However, even if you do not have to authenticate yourself with your real identification when purchasing an Internet access, authorities have many alternative ways to detect your physical location:

  • If you use a mobile connection via SIM card, authorities can locate you either via GPS or cell tower triangulation
  • If you use a home Internet connection, your ISP knows the exact physical location of the connection endpoint and will reveal this location to authorities upon request.

Without going into further detail, you have to assume that your ISP in combination with authorities can identify your physical location or personal identity if you browse the Internet without anonymization technology such as Proxies or VPN's.

Who is using Anonymization Technology such as VPN's or Proxies?

Because your public IP address can reveal your location and identity, cyber criminals and hackers are motivated to hide it. But not only cyber criminals are motivated to hide their IP address.

For example, journalists and activists often prefer to work with anonymous VPN's in areas of the world where governments are hostile towards them. In many parts of the world, Internet access is surveilled and state actors censor access to it. Or even worse, they trace Internet users by their assigned IP address and imprison such actors.

proxydetect.live does not intend to detect such a legitimate usage of anonymization technology. However, there are many other reasons that lead Internet users to use impersonation technologies. The motivation of using anonymization technology can be divided into three legality classes:

  1. Benign reasons to use VPN's & Proxies
  2. Legal Greyzone of using VPN's & Proxies
  3. Malicious and Illegal reasons to use VPN's & Proxies

Benign Reasons for using Proxies and VPN's

There are many reasonable situations that require people to remain anonymous in the Internet.

  • Journalists and activists in hostile environments want to protect themselves from governments
  • Whistleblowsers that need to remain anonymous
  • In general, everyone who wants to protect their privacy online (Not being tracked by advertisers or governments)

Legal Greyzone

There is a vast legal greyzone of use cases that involve Proxies and VPN's. For example, many people install VPN's in order to access geo restricted content (unblocking). Media content is often restricted to people of a certain country or region. For instance, the BBC iPlayer is only accessible to visitors from the UK.

Figure 2: The BBC iPlayer is not accessible from people outside the UK. A VPN from the UK would unblock the BCC iPlayer.

Another example for a legal greyzone is the scraping of website content. The laws regarding web scraping or web crawling are not entirely clear. In 2021, a law suit initiated by LinkedIn against a competitor decided that scraping data is not a act of hacking:

In its second ruling on Monday, the Ninth Circuit reaffirmed its original decision and found that scraping data that is publicly accessible on the internet is not a violation of the Computer Fraud and Abuse Act, or CFAA, which governs what constitutes computer hacking under U.S. law. [1]

Furthermore, many streaming and service providers charge different rates in different regions on the globe. A monthly Netflix subscription costs almost 5x as much in the United States compared to India.

The same applies to the dating app Tinder. Tinder costs less in India for example compared to other countries.

Malicious and Illegal Activity

There also exist many illegal situations in which anonimization technology helps perpetrators to remain anonymous so that law enforcement cannot pursue them.

  • Any acts of cyber crime
  • Accessing online banking over VPN's or Proxies and withdrawing money from a stolen account
  • Credential stuffing attacks
  • Spamming
  • Using bots for scalping purposes

What is the difference between Proxies and VPN's?

There exist many different anonymization technologies in the Internet. But broadly speaking, most anonymization technologies can be divided into two classes:

  • Proxies
  • VPN

The difference between Proxies and VPN's is as follows: Proxies are implemented on the transport layer of the network stack. This means that Proxy software runs on the TCP or UDP level and does not need to craft IP packets directly. On the other hand, VPN protocols are usually implemented on the network layer, which means that the traffic of an entire network interface is tunneled through a VPN.

Figure 3: The OSI network layer, Proxies are implemented in the transport layer, whereas VPN's are implemented in the network layer. [2]

There exist two types of different proxy protocols: HTTP(s) Proxies and SOCKS Proxies. HTTP Proxies use the HTTP Connect method to proxy traffic over a certain HTTP Proxy server, whereas SOCKS proxies use a dedicated protocol to relay traffic between a SOCKS server.

  • HTTP Proxies are standardized in RFC 2068
  • The SOCKS protocol is standardized in RFC 1928

Detection Model

In this section, the detection model for Proxy and VPN Detection is defined.

The detection model is fairly simple: A client is using any kind of modern browser such as Safari or Chrome and is visiting a website. This website delivers JavaScript to the client. The client must support the execution of JavaScript. Based on collected data with JavaScript and based on running any kind of program on the server, the server makes a decision wether the client is communicating over a Proxy or VPN server.

Figure 4: The detection model for Proxy and VPN detection.

Put differently, the following constraints make Proxy and VPN Detection challenging:

  • The only code that can be executed on the client is sandboxed and restricted JavaScript.
  • Trivial detection would be to simply read the network configuration of the client. This could be done with code running with privileged rights. For example, an Android App can trivially read the network configuration of the system.
  • Hence, Proxy and VPN detection mostly applies to web traffic and restricted iOS and Android app traffic.

Software & Protocols

VPN Software Examples

There exist many different VPN protocols and VPN implementations. Essentially, a VPN protocols specifies how packets are routed through the Virtual Private Network and how encryption and authentication is handled. VPN protocols may use TCP or UDP, but UDP is by far the more common choice. In this section, the most widely used VPN protocols are listed.

  • IKEv2 - Stands for Internet Key Exchange version 2 and is common among mobile VPN apps, because it allows automatic reconnection upon network change. Mobile phones often change between mobile and WiFI.
  • WireGuard® - WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache.
  • OpenVPN - Easily the most popular VPN protocol. Uses OpenSSL crypto library internally and works both with UDP and TCP. TCP is much slower, but allows for stable connections.
  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues. A specification for PPTP was published in July 1999 as RFC 2637.
  • SSTP - Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking.

Proxy Software Examples

As mentioned above, the most common proxy implementations are either based on the SOCKS protocol or HTTP Protocol.

  • Squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
  • Dante - Dante is a product developed by Inferno Nettverk A/S. It consists of a SOCKS server and a SOCKS client, implementing RFC 1928 and related standards. It is a flexible product that can be used to provide convenient and secure network connectivity.
  • 3Proxy - 3Proxy tiny free proxy server is really tiny cross-platform (Win32/Win64&Unix) freeware proxy servers set. It includes HTTP proxy with HTTPS and FTP support, SOCKSv4/SOCKSv4.5/SOCKSv5 proxy (socks/socks.exe), POP3 proxy, SMTP proxy, AIM/ICQ proxy (icqpr/icqpr.exe), MSN messenger / Live messenger proxy (msnpr/msnpr.exe), FTP proxy, caching DNS proxy, TCP and UDP portmappers.
  • GoProxy - The GoProxy is a high-performance http proxy, https proxy, socks5 proxy, ss proxy, websocket proxies, tcp proxies, udp proxies, game shield, game proxies.
  • Simple Socks Server - Creates a simple SOCKS5 server and exposes additional SOCKS5 proxy events.

Commercial Providers

VPN Providers

An uncountable number of VPN providers compete for customers. It is extremely simple to rent a cloud instance and setup a VPN server nowadays. Therefore, there is huge competition in the VPN provider space. In the following list, the most notorious & known VPN providers are listed.

  • NordVPN - A good VPN service provides you a secure, encrypted tunnel for online traffic to flow. Nobody can see through the tunnel, get their hands on your online data, or find your real IP address and location.
  • ExpressVPN - Connect reliably from anywhere, to anywhere. Our network of high-speed servers across 94 countries puts you in control.

Proxy Providers

Proxy providers exist also plentiful. There are mobile proxy providers, residential proxy providers and datacenter proxy providers. The list below includes some of the largest known proxy providers:

  • BrightData - Award-winning proxy networks, powerful web scrapers, and ready-to-use datasets for download. Welcome to the world's #1 web data platform.
  • Oxylabs - Join over a thousand businesses that use Oxylabs proxy networks and Scraper APIs to unlock public web data at scale.
  • IPRoyal - More than 8,056,839 IPs. Global proxy network with 100% ethically sourced IPs.
  • smartproxy.com - Effortlessly scrape web data you need
  • airproxy.io - Dedicated Mobile Proxies
  • proxidize.com - Proxidize is a revolutionary mobile proxy network creation and management platform built on mobile devices allowing businesses to create ultra-powerful proxies that are incomparable to anything else.