Why the proxy is detected, how to fix it

Some use cases of a proxy or VPN involve the need to be able to identify the mere usage of these tools. At times, you may be curious about whether your proxy usage is detectable, and if it is, how to hide it.

Various methods exist to detect proxy usage, most of which are concealed within the computer and browser.

The specific type of proxy used holds significance, in this case, our focus is on anonymous proxies. All types can be considered as such if they refrain from transmitting any information in the header during a request (refer to the description below).

If the proxy is detected, check the following settings:

Also keep in mind that the proxy type matters: residential proxies can look more like real-user traffic and may reduce automated ‘proxy/VPN detected’ triggers on some sites.

1. Browser HTTP headers.

Analysis of headers sent by the browser. If the header is passed, it means the proxy is not anonymous, and there is a risk that your actual IP address may be disclosed.

Headers that can expose your real IP:

• HTTP_VIA
• HTTP_X_FORWARDED_FOR
• HTTP_PROXY_CONNECTION
• X_FORWARDED_FOR
• FORWARDED_FOR
• FORWARDED
• HTTP_FORWARDED_FOR_IP
• HTTP_FORWARDED_FOR
• FORWARDED_FOR_IP
• HTTP_X_FORWARDED
• HTTP_FORWARDED
• HTTP_CLIENT_IP, VIA, X_FORWARDED
• CLIENT_IP
2. Flash Leak, Java Leak, and WebRTC Leak. Plugins like Adobe Flash, Java, and WebRTC can unintentionally reveal your real IP address. It is advisable to disable these plugins.
3. DNS Leak.

DNS queries can potentially leak the IP address of the DNS server closest to you and bypass your Proxy/VPN connection.

How to safeguard against DNS leaks:

• Force the required DNS servers in the connection settings.
• Install specialized proxy programs that intercept and redirect DNS requests through your Proxy/VPN/TOR.
• Disable third-party plugins such as Flash, Java, WebRTC, and Silverlight.
• Use utilities to hide IP and encrypt traffic with built-in protection against DNS Leak.
4. Fingerprints. Browser and system fingerprint analysis.

Proxies are commonly used on Linux and BSD systems but less frequently on Windows. Users often overlook changing their User-Agent, which contains information about the operating system used in the browser. If you’re trying to match a mobile user profile, pairing a mobile User-Agent with a mobile proxy server can make the overall fingerprint more consistent.

5. ETag. Compare cached Entity Tag identifiers.

ETag can serve as a user identifier. If your IP address changes but the ETag remains stored in the browser cache, the resource can potentially identify you. It is crucial to completely clear the browser cache after modifying or using a proxy/VPN connection.

6. MTU/MSS/p0f check. Passive TCP/IP stack listening methods.

When using this method, the size of the Maximum Transmission Unit (MTU) value is compared. Encapsulation occurs when using a proxy, and with OpenVPN, the system retains the MTU size but can modify the Maximum Segment Size (MSS) within the packet. In some environments, testing with an IPv6 proxy can also help you compare whether detection patterns differ between IPv4 and IPv6 routes.

To prevent information disclosure through MTU/MSS, manual editing of these settings for the network adapter is necessary.

7. Blacklists. Proxies can be checked against large Realtime Blackhole Lists (RBLs) for potential inclusion in blacklists. To reduce blacklist-related flags, consider rotating cleaner pools or switching to ISP proxies, which are often less likely to be mass-listed than datacenter ranges.
8. Differences between the local time and IP time zone.

If detections persist even after tuning headers and fingerprints, consider changing your proxy provider to access a cleaner IP pool and better routing stability.