How do you detect a VPN or Proxy connection? [closed]

Asked 23/10, 2015 at 11:8 Answered 26/2, 2020 at 18:37

I would like to block all connections to my server that use a VPN or Proxy. Is there anyway to detect that a VPN or proxy connection is being used? If not, is there anyway that I can check the likelihood that a VPN or proxy is being used? Lastly, is there anything that I can query or prompt the user with to check if they are using a VPN or Proxy so that if anyone does get through, I can try and perform additional verification? I do not need any information from the user such as location, true IP, or anything like that. I just want to entirely bar connections from VPNs or Proxies.

Edit: I've been thinking that I could potentially run a test to see if there is consistent discrepancies between ping to the VPN IP and the detectable latency of the client, but that sounds pretty unreliable.

Edit2: A proxy or VPN server would likely have many more ports open than a standard home connection so I could use the number of ports open to help gauge the likelihood of a connection coming from a VPN by running a port scan of the person connecting.

Neese answered 23/10, 2015 at 11:8 Comment(6)

Port scanning a VPN server is a good way to get yourself blacklisted. The question is why are you trying to block people proxying requests? – Flanders 30/10, 2015 at 16:58

Is it a webserver or just some random socket connection ? – Frodin 30/10, 2015 at 19:40

@Flanders I run a game server. No one uses proxies, or VPN's except to dodge IP bans. – Neese 30/10, 2015 at 22:37

@Frodin I am running a webserver and game server – Neese 30/10, 2015 at 22:38

Plenty use VPNs for other reasons--like expats living with country-wide blocks. And some blocks even including gaming sites, though I think that is typically for gambling related sites. – Mesomorph 20/8, 2020 at 0:10

Low-accuracy (mostly false negatives), but free solution based on daily-updated public VPN/bot lists: github.com/josephrocca/is-vpn If you need high accuracy, then you'll have to use a paid service. – Gao 8/12, 2023 at 13:12

Unfortunately, there's is no proper technical way to get the information you want. You might invent some tests, but those will have a very low correlation with the reality. So either you'll not catch those you want, or you'll have a larger number of false positives. Neither can be considered to make sense.

Generating any kind of traffic backwards from an Internet server in response to an incoming client (a port scan, or even a simple ping) is generally frowned upon. Or, in the case of a port scan, it may be even worse for you, eg when the client lives behind a central corporate firewall, the worst of which is when the client comes from behind the central government network firewall pool...

Frankly, IP-based bans (or actually, any kind of limiting focusing on people who do not exclusively possess their public IP address: proxy servers, VPNs, NAT devices, etc) have been unrealistic for a long time, and as the IPv4 pools have been getting depleted in many parts of the world, ISPs are putting more and more clients behind large NAT pools (it's this week's news in my country that the largest ISP, a subsidiary of Deutsche Telekom, has started handing out private IPv4 addresses as a standard way of business to its customers, and people have to ask the provider explicitly to get a public IP address), so there's even less and less point in doing so. If you want to ban clients, you should ban them based on identity (account), and not based on IP address.

Seow answered 31/10, 2015 at 0:48 Comment(9)

Unfortunately, players can change any identifiers at any time so banning based on their "identity" doesn't help at all. – Neese 2/11, 2015 at 8:28

@ZachSugano You can ask them to create an account and validate their email address. You don't have any way to block them if they delete all their cookies and create a new account. – Gleich 2/11, 2015 at 8:47

@ZachSugano Well, if you make them pay some small amount, let's say $0.50 by Paypal, you'll have their identity that is not so easy to fake or generate a new one. – Seow 2/11, 2015 at 20:51

@zachsugano How can you keep track of each player without assigning each one a lifelong identifier beyond their customizable identifiers like username and email? It's always wise just to assign an immutable sequential user ID to any account whether you make it public or not to support data mining in the future and account banning as you desire – Peccadillo 31/7, 2016 at 0:1

Netflix is doing it very well. Wondering how – Cyclotron 31/7, 2018 at 13:5

@Cyclotron Netflix asks for you credit card number at registration. That's how they can do it well... – Seow 15/11, 2018 at 6:26

Of what relevance is the credit card? Presumably Netflix isn't going to insist that you never use your account outside of the address associated with a credit card. Netflix can presumably check for well-known proxies, but indeed it seems they were able to even detect, after some weeks of use, open VPN from a personal (i.e., non-commercial-VPN) server. – Mesomorph 11/8, 2020 at 2:30

@BrettZamir It's about what method to use to get the 'identity' of the user. The OP wants to recognize VPNs and proxies to be able to block unwanted users. The OP wouldn't need this if the users were identified by other means. Getting a valid credit card number is a way to get an identity - then the OP can block the user account AND his credit card number, so that the user cannot simply register another mail address and subvert his blocking. This works as long as it takes considerable amount of energy to get hold of another credit card. – Seow 19/8, 2020 at 3:28

Ah, k, yeah, if the intent is blocking by identity, then sure. But as mentioned, Netflix is detecting proxy use independent of identity and even independent of identifying well-known proxies (plenty of services including even Wikipedia (unfortunately for those who need VPNs to pass country-wide blocks of sites) detect well-known proxies). – Mesomorph 20/8, 2020 at 0:16

At IPinfo we offer a privacy detection API, which will let you know if a connection is coming from a VPN, an anonymous proxy, a tor exit node, or a hosting provider (which could be used to tunnel traffic). Here's an example:

$ curl ipinfo.io/43.241.71.120/privacy?token=$TOKEN
{
    "vpn": true,
    "proxy": false,
    "tor": false,
    "hosting": true
}

If you wanted to block connections to your site from VPNs then you could make an API request to get this information, and reply with an error if it's detected as a VPN. In PHP that would look something like this:

$ip = $_SERVER['REMOTE_ADDR'];
$url = "http://ipinfo.io/{$ip}/privacy?token={$IPINFO_API_TOKEN}";
$details = json_decode(file_get_contents($url));
// Just block VPNs
if($details->vpn) { 
    return echo "VPN Access Blocked!";
}

// Or we could block all the other types of private / anonymous connections...
if($details->vpn || $details->proxy || $details->tor || $details->hosting) { 
    return echo "Access Blocked!";
}

Omari answered 26/2, 2020 at 18:37 Comment(1)

I really like the service and how developer friendly it is, but unfortunately it does not detect Opera VPN (Proxy). Just tried it. – Doable 27/10, 2020 at 14:45

The simplest way to do this is to use an external service like an API to block VPN or proxy users.

MaxMind and GetIPIntel both offer it via API, you might want to give it a try. GetIPIntel provides free API service so I suggest you try that first.

For OpenVPN, someone used unique MSS values to identify VPN connections but the setup is complicated and it might be "patched" now.

The strategies you've mentioned in your edits don't seem like a very good idea because you'll run into many false positives. Sending out port scans whenever they connect to your service is going to take a lot of time and resources before you get the results.

Hoashis answered 14/3, 2017 at 17:5 Comment(0)

Yes, you can detect whether an IP belongs to a VPN/ proxy using Shodan. The following Python code shows how to do it:

import shodan

# Setup the API wrapper
api = shodan.Shodan('YOUR API KEY') # Free API key from https://account.shodan.io

# Lookup the list of services an IP runs
ipinfo = api.host(VISITOR_IP)

# Check whether the IP runs a VPN service by looking for the "vpn" tag
if 'tags' in ipinfo and 'vpn' in ipinfo['tags']:
    print('{} is connecting from a VPN'.format(VISITOR_IP))

You can also look at the list of ports to determine the likelihood that the visitor is connecting from a HTTP proxy:

if 8080 in ipinfo['ports']:
    print('{} is running a web server on a common proxy port'.format(VISITOR_IP))

Btw you can do this now using our new, free InternetDB API. For example:

import requests

VISITOR_IP = "5.45.38.184"  # In production this would be the IP of your visitor

info = requests.get(f"https://internetdb.shodan.io/{VISITOR_IP}").json()
if "vpn" in info["tags"]:
   print(f"{VISITOR_IP} is connecting from a VPN")

Isoagglutinin answered 14/6, 2018 at 0:1 Comment(2)

This is very clever! For best results you need to look for more than just the "VPN" tag; most proxies tend to fall under "cloud." – Qianaqibla 6/5, 2019 at 18:25

We now also have the "proxy" tag so you could do if "vpn" in info["tags"] or "proxy" in info["tags"]: – Isoagglutinin 29/11, 2022 at 23:58

List of Tor exit nodes is publicly available. You only want "exit nodes" and it's available as CSV. This should be 100% complete and accurate as it's generated directly from Tor directory.

A free list of open proxies is available from iblocklist.com. A free list that incorporates open proxies, Tor nodes and VPN endpoints from ip2location.com.

The last two have most likely limited coverage and accuracy, especially as it comes to VPN exit nodes - there's just too many of them. Some providers take another approach and consider all "hosted subnets" (subnets from which ISPs assign their clients IPs for hosted servers) as some kind of VPN or proxy, as end-users should be connecting from "consumer" subnets.

Ridley answered 21/2, 2019 at 14:11 Comment(0)

You can download a list of known proxy IP addresses and lookup locally to see if it is VPN, open proxy etcs.

There are several commercial products in the market. IP2Proxy LITE is a free one you can try immediately.

Rowley answered 22/2, 2017 at 4:47 Comment(0)

-2

Get (somehow) list of IP of proxy servers.
Measure round trip ping time to user. Helps in online websocket games. Games are playable with ping under 50ms, so you can disconnect users with ping about 100ms and greater with a message "Sorry, too large ping".

Ringworm answered 5/1, 2018 at 17:27 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags