HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Rasbora

no profile record

Submissions

Is my network a residential proxy?

layer3intel.com
4 points·by Rasbora·9 ay önce·1 comments

comments

Rasbora
·24 gün önce·discuss
[flagged]
Rasbora
·geçen ay·discuss
Solutions exist specifically for detecting residential proxy traffic: https://layer3intel.com/tripwire

You can also check if your network is running a residential proxy exit node here: https://layer3intel.com/is-my-network-a-residential-proxy
Rasbora
·3 ay önce·discuss
TLS fingerprinting is not sufficient to stop residential proxies, the proxy acts as a transparent pass-through at the TLS layer making it trivial to use something like curl_cffi to mimic a real browser TLS fingerprint.

However residential proxies do have a weakness, since they need to maintain 2 separate TCP conenctions you can exploit RTT differences between layers 3 and 7 to detect if the connection to your server is being terminated somewhere along the path. Solutions exist that can reliably detect and block residential proxies, for example: https://layer3intel.com/tripwire
Rasbora
·5 ay önce·discuss
I've helped multiple people remove residential proxy malware that was turning their network into a brightdata exit node and they had no idea / did not consent to it. Why is google selectively targeting one provider while letting others operate freely?

You can check if your network is infected here: https://layer3intel.com/is-my-network-a-residential-proxy
Rasbora
·6 ay önce·discuss
This is the core concept of how proxies are detected via services like https://layer3intel.com/tripwire or https://spur.us/monocle/

The difference in min TCP RTT and min RTT to respond to a websocket payload is a dead giveaway that there's a middlebox terminating TCP somewhere along the path. You can bypass this by sourcing your request within 30ms of wherever TCP is being terminated, anything under that threshold could be caused by regular noise and isn't a reliable fingerprint. Due to how many gateway's there are between you and a residential proxy exit node this makes fingerprinting them extremely easy.

I expect it won't be long until someone deploys the first proxy service that handles the initial CONNECT payload in the kernel before offloading packet forwarding to an eBPF script that will proxy packets between hosts at layer 3, making this fingerprinting technique obsolete. The cat and mouse game continues.
Rasbora
·9 ay önce·discuss
Solutions exist that can completely block credential stuffing attacks most people just don't know about them, for example: https://layer3intel.com/tripwire