1

I want a proxy, preferably my own but I would be glad if there is a reliable service already, that is undetectable. Obviously, it does not send X-Forwarded-For. But it has to be much more than that to be undetectable. I have read the following in different online articles.

  1. The IP should not belong to a known list of proxy servers.
  2. Not detectable through proxy ports
  3. Not through DNS associated with proxies
  4. I will be connecting mostly to HTTPS websites. So the proxy should not be detectable by bypassing HTTPS traffic
  5. Datacenter IPs are now a telltale sign that I am using a proxy or VPN, so how to solve this and use a residential IP.
  6. Proxy should not be detectable through any other mean not mentioned above.
  7. I know how to disable WebRTC. Disabling JavaScript is not feasible as most websites will not work without JS.
  8. Encryption is not needed. Encryption through OpenVPN introduces its own issues of detection - or this is what I have read.

Please note that I am not an IT expert. I have researched and gathered the above information. All I am able to do is follow a step-by-step process.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Assad Ali
  • 11
  • 2
  • 1
    The only real trick is getting a residential IP. All the other parts are easy and straightforward. But the solution to that is not a security concern (just buy a 2nd line). – schroeder Apr 24 '18 at 20:22
  • Well, can you please tell me, or point me to, the easy and straightforward parts - that a layman like me can follow. I am researching for residential IPs and I will be able to fit that piece in the puzzle. – Assad Ali Apr 24 '18 at 20:51
  • Related: https://security.stackexchange.com/q/182710/165253 – forest Apr 25 '18 at 02:17

1 Answers1

2

Running a proxy server

As schroeder says, getting a residential IP would be the real issue. Everything else is simple. You can register a VPS and put a proxy application on it, such as Tinyproxy, a lightweight HTTP proxy that can be configured not to advertise the fact that it is a proxy server. At the worst, it would be advertising in its rDNS that it is a VPS. The ports used can also be easily customized to avoid detection based on common ports. Note that Tinyproxy in particular does not support authorization, so active probing (a technique used by, among others, China) could attempt to connect to it using the CONNECT method on all ports to discover if the server is running an instance of Tinyproxy.

Running a proxy simply involves installing a proxy daemon on a server, configuring the ports you wish to use to connect to the proxy, and opening the ports in the firewall. It's that simple. This can be done on a dedicated server, a VPS, or even a shared shell account. All you need is basic understanding of running a server, and the ability to open ports if they are firewalled off otherwise.

IP and DNS leaks

Preventing proxy leaks is an entirely different class of problems. The best solution for that wouldn't be to disable JavaScript (which doesn't have a built-in way to bypass proxies anyway), but to set a firewall rule that blocks all traffic not going to the proxy server. This prevents both malicious exploitation and accidental misconfigurations from bypassing the proxy and revealing your IP.

HTTP proxies do not require you provide the IP address, so the domain will be resolved by the proxy server itself. This is also true for SOCKS5 and SOCKS4a proxies. With an HTTP proxy, requesting an example website is done by sending headers such as the following to the proxy:

CONNECT server.example.com:80 HTTP/1.1 
Host: server.example.com:80 

It is up to the proxy server to resolve server.example.com and relay the response to you.

Getting a residential IP

Using a residential IP generally requires you run a proxy server on a computer connected to a residential line. Unless you have someone who is willing to do that for you, there is no simple, legal solution. If you have online friends who may not mind running a proxy for you, you could take advantage of that. For example, I have a friend in Moscow (Russia) who was willing to run a proxy server on his own system and allow me to connect to the internet through it.

There are several commercial proxy services that can provide residential IPs, however they are rather sketchy at best of times, and certainly are not what I would call "trustworthy". Many of these services are likely to run proxy servers on a botnet and sell access to the proxies for a profit. While this may give you a residential IP (and "reputable" services will guarantee that IPs will not be shared, or will be minimally shared), it is likely that it is running on a compromised machine. An example is VIP72, which has been known to (perhaps unwittingly) utilize botnets.

It is also possible to exploit consumer routers and run lightweight proxies on them. Many routers have vulnerabilities in exposed web interfaces, or even just use default credentials. As the majority of routers are rarely if ever updated and behave as magical black boxes to their owners, detection is exceptionally rare. Scanning the IPv4 range for particular router vulnerabilities can prove very fruitful. Relevant vulnerabilities are often posted to mailing lists such as Full disclosure. Note that this information is for educational purposes only, as hacking routers is illegal in many jurisdictions.


Encryption is not needed. Encryption through OpenVPN introduces its own issues of detection - or this is what I have read.

That isn't true. The OpenVPN protocol does not hide the fact that it is a VPN tunnel from your ISP, but the website you connect to will not know anything about that. The encryption used by OpenVPN (or other encrypted tunnels such as IPSec) terminates at the VPN server. There are other ways to detect that a VPN is in use though, so a (secure) proxy can actually be more stealthy.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Thanks a lot @forest. Your answer has given me a good starting point. Now, what I need to do is choose a proxy app that have all the options to be undetectable – and secure – and set it up on AWS. I am also researching residential proxies - which are not botnets. Services like Luminati are sketchy, but at least obtain some kind of user consent from their free Hola VPN users, even if users do not know what they are agreeing to. But they do not have any package for small consumers and only offer costly packages for data scrapping. My search and research is continued... – Assad Ali Apr 26 '18 at 10:26