If a verify if IP is proxy, VPN, or TOR wants to verify whether an IP is proxy, it must observe several characteristics. Some of the most important are the network behavior patterns that proxies and VPNs tend to have. These can be spotted through traceroute or by examining the HTTP request headers, such as X-Forwarded-For and User-Agent Anomalies.

Another way to detect proxies is through latency measurements (browser to server and server to browser). If the latencies are significantly different, it suggests that there’s an intermediate host between the client and the web-server. The intermediate host needs to “glue” the TCP/IP connections together – this adds some time to the communication.

More advanced systems use device fingerprinting techniques, which look at more granular data inside of the packet beyond the headers. These techniques look at things such as the language, system characteristics and timezones of the user’s device or browser and compare them with expected values. If these values are out of the norm, this could indicate a proxy or VPN connection.

Inside an Advanced Device Fingerprinting SDK: What It Can Really Do

Another useful way to detect proxies is through reverse DNS lookup. If the query results in a domain name that is associated with a proxy service or has no other business relationship, this can also be an indication of a proxy or VPN connection. Finally, advanced systems can utilize deep packet inspection technologies to examine data in the actual network packets themselves at a very granular level. This can detect patterns that are consistent with proxies or VPNs, such as encrypted traffic that is often associated with tunneling protocols.