Detecting proxy tunnel traffic is vital for a variety of security use cases including network protection, click fraud prevention and e-commerce. Fraudsters are adept at hiding behind VPNs, proxies and other services to bypass checks and balances, manipulate data and exploit organizations’ advertising weaknesses for financial gain.

But detect proxy tunnel traffic  can also make use of proxies and VPNs for legitimate purposes, such as avoiding geo-blocking by streaming content from different regions or protecting their privacy. Incorporating IP-based VPN and proxy detection in a security platform or technology at the front-end of your online business protects against these activities without preventing all legitimate use.

Malicious IP Reporting

Some detection tools use reverse DNS lookups to determine if an IP address is associated with a proxy server. Others examine a user’s behavior and may check for anomalies like slow web page loads or navigating multiple accounts from the same device. In addition, some systems can detect the presence of a tunnel by comparing the traffic path for TCP port 80 TCP packets to the traffic path for ICMP ping packets; the latter tend to show more intermediary hops than the former.

Some systems are also able to identify the type of proxy or VPN being used by using connection features and other data points like CAPTCHA challenges (where some bots have trouble completing), traffic patterns, speed differences and other indicators. And by incorporating machine learning, some systems can adapt to evolving evasion techniques such as IP rotation, user-agent spoofing, residential proxies and other masking services.