How to determine when a user is using a proxy
There are many reasons for a person to make use of a proxy connection, while cyber-security foul play is one well-known reason for using proxies; it is not always the case.
However, for forensics, it is crucial that you analyze your network traffic and figure out connections making use of proxies and identify the actual location.
Often, malicious users make use of proxies to spam sites as some of these proxy vendors allow anybody to use their services, including cyber attackers. You can easily note those proxies and block or rate limit transactions from those proxies on your site.
Regardless of the application’s underlying language, you can detect a transparent proxy and log the originating IP address for further investigation should an incident happen.
To be able to detect transparent proxies, you may find some knowledge on the different types of proxies useful.
The two different types of proxies are:
- Transparent proxies
- Anonymous proxies
Transparent Versus Anonymous Proxies
Trying to get the original IP address from an entirely anonymous proxy is almost impossible; this is because the IP address never gets sent to your application server, so you can’t access it.
Anonymous proxies are servers that let users pull website content using the proxy server’s IP address without sending additional server heading variables that indicate a proxy connection.
Therefore, when you check your application server for the IP address, you can only see the anonymous proxy’s IP and not the user’s original IP address.
Anonymous proxies show no signs of even being a proxy and seem like a traditional connection when you review traffic audits. However, you can still fight these proxies if you find that a majority of traffic is malicious.
You can fight these proxies by purchasing a list of IP addresses often used for harmful purposes and then blacklist or block requests coming from those IP addresses in the list.
For traditional installers such as WordPress and Joomla, you can download plugins to help you block IP addresses known for spam.
Unlike anonymous proxies, transparent proxies forward the original IP address from the user, so you can log it and detect the IP location and Internet Service Provider (ISP). Since you can access the IP address from transparent proxies, you can easily block requests from them without having to purchase a list of those proxies.
IP logging is used for several reasons such as cyber security, application cookies, tracking, determining traffic patterns, and gaining insights into customer trends. Using a proxy server doesn’t definitively conclude that the user is malicious, but it’s a way to identify an attacker should you find suspicious activity on your application.
To identify a transparent or anonymous proxy, you can do a reverse lookup on the IP address. However, you may not always get the desired result as you can’t always identify these proxies.
Server administrators can make this possible, but they do not always put in so much effort into detecting IP address unless during a cybersecurity breach.
Developers can use server header variables and log the information, which in turn detects a proxy server.
Detecting a Proxy in Your Application Code
If the traffic connection on your application server is using a transparent proxy, the application receives two IP addresses: the original IP and the proxy server IP.
When these two IP addresses don’t match, then you know that you have a proxy connection. An anonymous proxy doesn’t send these additional server variables, so should you retrieve values for them the result will be null.
Several server header variables determine a proxy server. They include:
Any number of these could get forwarded by the proxy server, so you need to check each one for any value other than the IP logged by the server.
Use the “REMOTE_ADDR” server variable to detect the IP address connecting to your server; in a proxy connection scenario, that would return the proxy address and not the original IP.
One way to detect a proxy is to retrieve an IP address from the REMOTE_ADDR server header and compare it to each server variable listed above. Here is the PHP code to do this
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
$ip = getRealIpAddr(); // your function
In the code above, the loop goes through each server header that could indicate a proxy and compares it to the remote IP stored in the $remote_ip variable that uses REMOTE_ADDR.
If the server header is set and it doesn’t equal the IP in $remote_ip, then the application assumes the sender is using a proxy. You can use this snippet of code to perform any number of activities based on this detection.
You can then block the connection, log an event on your server, or use the origin IP as the user location.
Blocking Malicious Traffic and Spam
One major reason why there is a need to block an IP address is due to the rampant increase in spam cases. Spam is very harmful to every site as it can damage the site’s reputation and cause the customers to lose trust in the business.
The majority of spam comes from China, India, Pakistan, and Russia; by blocking most of the traffic coming from these countries, site owners have been able to reduce spam incidents by a large percentage.
Spam also comes from the US, but most of this traffic is from proxies hosted with a US IP. Spammers often use US proxies to bypass geographic web filters.
One method to block spam coming from US IP addresses is to use CloudFlare. CloudFlare is well known for blocking spam and DDoS attacks. It is also an excellent way to prevent XSS attempts and several other cyber-security incidents that could cause havoc on your application.
One disadvantage of Cloud Flare is that it can be overly aggressive, so you must be able to properly tune your settings to allow legitimate traffic but block malicious activity. That can be a trial-and-error event that some business owners don’t want.
Another option is to download a list of IP addresses known to allow spam. These IP addresses are usually hosts, and proxy servers reported to Stop Forum Spam or other similar services.