Proxy Detection: Techniques and Best Practices
security
proxy
detection

Proxy Detection: Techniques and Best Practices

Brandon Visca
December 5, 2024
7 min read

What Are Proxies?

A proxy server acts as an intermediary between a user’s device and the internet. Instead of connecting directly to a website, the user’s request travels to the proxy server first, which then forwards it to the destination on the user’s behalf. The destination server sees the proxy’s IP address, not the user’s original IP address.

Proxies are used for a wide range of purposes — some entirely legitimate, others not. Businesses use proxies for network caching, content filtering, and centralized internet access. Individuals use proxies to bypass geographic restrictions, access research data at scale, or add a layer of privacy to their browsing. Automated systems use proxies to conduct web scraping, ad verification, price monitoring, and competitive intelligence gathering. And bad actors use proxies to commit fraud, abuse platform limits, and circumvent bans.

For platforms that need to make trust decisions based on who is connecting — e-commerce sites, API providers, content platforms, ad networks — understanding whether traffic is coming through a proxy is an important input to risk management.

Types of Proxies

Not all proxies are equal. They vary significantly in how detectable they are, and understanding the type of proxy affects which detection techniques are appropriate.

HTTP and HTTPS Proxies

HTTP proxies operate at the application layer and handle web traffic only. They are the most common type and the easiest to detect, because they often modify HTTP headers in ways that reveal their presence. HTTPS proxies add encryption between the client and the proxy server, but the proxy still terminates the connection — the destination server communicates with the proxy, not with the original client.

SOCKS Proxies

SOCKS proxies operate at a lower level in the network stack (transport layer), making them more versatile than HTTP proxies. A SOCKS5 proxy, the current standard, supports any type of traffic — HTTP, HTTPS, FTP, and others — and handles UDP as well as TCP. SOCKS proxies do not rewrite HTTP headers, making them somewhat harder to detect than HTTP proxies.

Transparent Proxies

Transparent proxies do not attempt to hide the fact that they are proxies. They pass through the user’s original IP address in the X-Forwarded-For header. These are typically used by organizations for network caching and content filtering, and they do not represent a threat from a fraud detection perspective.

Anonymous Proxies

Anonymous proxies hide the user’s IP address from the destination server but may still reveal that a proxy is being used through headers like Via or X-Proxy-ID. They are detectable through header analysis.

Elite (High-Anonymity) Proxies

Elite proxies strip all identifying headers and present themselves as direct connections. The destination server sees only the proxy’s IP address with no indication that a proxy is involved. These are the hardest to detect and the most commonly used for fraud and scraping.

Residential Proxies

Residential proxies route traffic through IP addresses assigned to real household internet connections, sourced from networks of consenting (or unknowing) device owners. Because these IPs belong to residential ISPs, they are not flagged by datacenter-based detection and are significantly harder to detect than datacenter proxies. Residential proxy networks are widely used for scraping, ad fraud, and account abuse at scale.

Detection Methods

Header Analysis

HTTP proxies often add or modify request headers that reveal their presence. Checking for these headers is the simplest and fastest detection method:

const proxyHeaders = [
  'X-Forwarded-For',
  'X-Proxy-ID',
  'Via',
  'Forwarded',
  'X-Real-IP',
  'Proxy-Authorization',
  'X-Forwarded-Host'
];

function hasProxyHeaders(headers) {
  return proxyHeaders.some(header => headers[header.toLowerCase()]);
}

The presence of these headers does not always indicate malicious intent — legitimate load balancers and CDNs also set X-Forwarded-For — but they provide useful context when combined with other signals.

IP Database Lookup

The most scalable detection method is cross-referencing the connecting IP address against curated databases of known proxy infrastructure. These databases aggregate:

  • Known datacenter IP ranges (hosting providers, cloud platforms)
  • Documented open proxy lists
  • Tor exit node lists
  • Known VPN exit node ranges
  • Flagged residential proxy network ranges

The IPPriv API returns proxy detection flags alongside VPN and hosting information in a single request:

async function detectProxy(ip) {
  const response = await fetch(
    `https://api.ippriv.com/api/security/${ip}`
  );
  return await response.json();
}

The response includes an isProxy flag, along with isVPN, isTor, and isHosting — giving you a complete security profile in one API call.

Port Scanning

Proxies listen on specific ports. Common proxy ports include 3128 (Squid default), 8080, 8888, 1080 (SOCKS), and various others. When a connection arrives from an IP address that has one of these ports publicly open, it suggests that a proxy service is running on that IP address.

Port scanning in real time is impractical for high-traffic applications, but IP intelligence databases pre-populate this information for known proxy ranges.

Timing Analysis

Proxies introduce measurable latency. A connection that claims to originate from a geographically nearby IP address but exhibits high and consistent latency suggests that traffic is traveling through an intermediate hop. The latency profile can be compared against expected values for the claimed location.

This technique is probabilistic and requires baseline latency data from known reference points. It works best as a corroborating signal rather than a standalone detection mechanism.

Geolocation Mismatch

If the IP address geolocation places the user in one country, but other signals — language headers, timezone information, browser settings — suggest a different country, the mismatch may indicate proxy usage. A user who claims via Accept-Language to be a French speaker but whose IP address geolocates to the United States could be using a proxy to appear to be in the US.

ASN and Organization Lookup

Every IP address belongs to an Autonomous System registered to an organization. When the ASN organization is a known hosting provider, cloud service, or proxy network operator, the IP is flagged as non-residential. Residential proxies specifically try to avoid this detection by using genuine ISP-assigned addresses.

Use Cases for Proxy Detection

E-commerce and Payment Protection

Preventing automated bots and scalpers from buying limited inventory — sneakers, concert tickets, gaming hardware — requires detecting and blocking traffic from automated proxy networks. Similarly, payment fraud teams use proxy detection as one signal in their transaction risk scoring.

Content and Regional Licensing

Platforms with geographic licensing agreements use proxy detection to identify users who are circumventing regional restrictions. Unlike VPN detection, which focuses on VPN-specific infrastructure, proxy detection catches a broader category of circumvention methods.

API Rate Limiting and Abuse Prevention

Public APIs face abuse from scrapers and bots that rotate through proxy pools to bypass rate limits. Detecting proxy IP addresses and applying stricter limits or challenges to those requests protects API infrastructure and prevents unfair resource consumption.

Account Security and Fraud

Account creation fraud, credential stuffing, and loyalty program abuse frequently use proxy networks to distribute requests across many IP addresses. Detecting proxy usage does not necessarily mean blocking the action — it means adjusting the risk score and potentially requiring additional verification.

Response Handling and Confidence Scoring

Proxy detection results should be treated as a risk signal, not a binary allow/block decision. Design your response based on the confidence level of the detection and the risk of the action being taken.

async function handleRequest(ip, action) {
  const security = await detectProxy(ip);

  const riskScore = calculateRisk(security);

  if (riskScore > 0.9) {
    // High confidence proxy — block or require strong verification
    return { action: 'block' };
  } else if (riskScore > 0.5) {
    // Moderate risk — add friction (CAPTCHA, email verification)
    return { action: 'challenge' };
  } else {
    // Low risk — allow with monitoring
    return { action: 'allow' };
  }
}

function calculateRisk({ isProxy, isVPN, isTor, isHosting }) {
  let score = 0;
  if (isProxy) score += 0.6;
  if (isVPN) score += 0.4;
  if (isTor) score += 0.8;
  if (isHosting) score += 0.3;
  return Math.min(score, 1.0);
}

Conclusion

Proxy detection is essential for maintaining platform integrity while respecting legitimate use cases. Use our free IP lookup tool to check proxy status on any IP address, or read about VPN detection techniques which complement proxy detection in a comprehensive security strategy. For a deeper look at the residential proxy problem specifically, understanding that not all non-datacenter IPs are trustworthy is a critical insight for modern fraud prevention.

Back to Blog

Related Articles