
Detecting VPN (and its configuration) and proxy users on the server side - diafygi
https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413
======
jaytaylor
I never thought about detecting proxies and VPNs this way, very clever.

Do any of you know a way to hinder/defeat these detection techniques?

~~~
userbinator
From the article:

 _If you don’t want to be identified, you can disable mssfix, just set it to
zero on both server and client._

As for the OS/browser fingerprinting, I suppose you could just use p0f to
figure out what your VPN "exit node" is running, then modify your user-agent
to match.

Interestingly enough, it assumes that if it can't figure out either OS or
fingerprint, they match:

    
    
        Detected OS   = ???
        HTTP software = ???
    
        ...
        Fingerprint and OS match.

~~~
nissehulth
Maybe Tor Browser should try to match the user-agent to the exit-node.

~~~
thaumasiotes
No. You can identify a connection as "Tor" in several different ways. That's
not the point of Tor. The point of Tor is that everyone using it looks the
same as everyone else using it. You want the Tor user agent to be,
essentially, "I'm Spartacus".

------
powertower
> and Steam has been always suspicious to non-Russian speakers from Russia

What would the benefit be of someone outside of Russia using Steam via a proxy
in Russia?

edit: after a google search, it looks like -

1\. RU prices (in dollars) are way lower for some games than US prices (in
dollars). Almost 50%-60% lower.

2\. And EU and AU prices are higher than US prices.

~~~
sobkas
On the other hand we have something like Dishonored (RU). Because Steam.
Somehow when I was buying it on Steam(without any proxies or vpn) I ended up
with that version. Even tough I have paid full price, not lower one available
in Russia.

Also Dishonored (RU) doesn't have a store page, it's impossible to write a
reviews for it and so on.

[https://steamcommunity.com/app/217980/discussions/0/61057375...](https://steamcommunity.com/app/217980/discussions/0/610573751149814710/)

------
_ikke_
How is the uptime of the machine being detected?

~~~
jakobdabo
TCP Timestamps -
[http://forensicswiki.org/wiki/TCP_timestamps](http://forensicswiki.org/wiki/TCP_timestamps)

------
realusername
That's really interesting ! I can also see this being used for the opposite
usage for some security websites. They could ban all non-vpn users.

------
nickpsecurity
I think the mobile part at the end was interesting. You might be able to spot
users that swap phones (burner smartphones) just by that information. LEO's
and NSA work on tech to detect that sort of thing. Might find this a useful
tool combined with other methods.

~~~
im3w1l
Why would a criminal swap phones but retain the sim?

~~~
nickpsecurity
Wow i mustve not been awake enough when i wrote that. Good catch.

------
freewizard
Only by checking browser you won't tell a Linux proxy from a Linux NAT box.

------
eikenberry
> It is configured to work with any link with MTU 1450 or more by default.

Does this means that if you set the MTU to < 1450 OpenVPN wouldn't set the MSS
value in the header?

------
c4n4rd
Very interesting analysis.

PS: Small correction on the article:

"To prove my theory 2 VPN services has been tested:" "To prove my theory 2 VPN
services have been tested:"

~~~
Nexxxeh
I think the article would benefit from proofreading in general by a native
speaker. I found it really hard going.

I'd say it's EFL, but that's speculation. The language seems pretty advanced
in style but the author trips over things that native speakers of the same
level generally don't.

Opening paragraph:

>A lot of people use VPN every day. Somebody use it in always-on mode to
circumvent government or corporative internet censorship, while somebody use
it from time to time to bypass geographic restrictions.

Common usage would be "A lot of people use VPNs every day."

Some people use them one way, somebody uses it another. As opposed to
"somebody use".

The sentence structure is nearly there, but is just odd enough to stop it from
flowing.

The content is great though. It's really interesting and is worth persevering
for.

I'm not a professional but I'd happily do proofreading for content like this.
The author has made some really interesting and useful content.

If the author had asked for feedback, I'd have fixed it up and sent it. But
large scale unsolicited rewrites might be interpreted more negatively. Is
there an accepted etiquette for such things? Or is it "be grateful, correct
anything that changes the meaning, but don't be petty"?

~~~
userbinator
The author is Russian and shows the typical, although quite subtle, occasional
lack of definite/indefinite articles. I'm native and it doesn't bother me
much; perhaps I'm just used to it.

