1

As far as I know, using a HTTP proxy, there will be a header field sent that contains the IP address of the user.

But SOCKS almost works with every service and protocol, so there should not be such a header field containing the actual IP address.

But theoretically, the proxy server could detect, that the request is done on port 80, with HTTP syntax and so on, and manually add that field?

Improve this question

2 Answers 2

Reset to default
1

That is not correct.

First note that the HTTP 1.1 datagram does not contain an IP address at all; that information is in the layer 3 datagram. The only field in the HTTP 1.1 header that is related to proxying is the authentication header, which indicates whether the proxy requires a login.

SOCKS occurs at layer 5 (below HTTP, but above IP), and involves creating a pair of circuits between source and destination, so it does not just pass on the datagrams it recieves; it fully reencapsulates them from layers 5 and below, so that the reciepient server doesn't even know at layer 5 that the client is using a SOCKS proxy at all. that header was removed in transit, and the layer 7 payload was placed in new transport segments, and in a new packet before being sent on to the remote destination.

It is possible to determine whether known proxies were used in a communication based on databases of IP addresses for known proxies, but there should be no explicit evidence in the datagrams passed between the proxy and the destination.

It is important to note that the end result of proxification varies by the adversary. Nation-states with infrastructure that can see large swathes of the web will likely be able to tell who you are, and their capabilities are well beyond the scope of these forums.

Improve this answer
2
  • Good answer, but what du you mean with reencapsulation of the datagrams?
    – Ercksen
    Commented Jul 13, 2015 at 16:16
  • check this out: firewall.cx/networking-topics/the-osi-model/… . encapsulation is the process of putting a segment in a packet, and a packet in a frame, etc. Every time a packet you send hits a router, the packet is dencapsulated from the frame it is in on the recieving interface, and and is placed in a new frame leaving the exit interface. In this case, the frame, packet, and even the segment are brand new when they exit the proxy, such that the only think kept from the original datagram is the application payload.
    – Frank Thomas
    Commented Jul 13, 2015 at 16:29
0

It is common for proxies to insert a X-Forwarded-For header, or other header identifying the client IP, but otherwise the client IP is not transmitted upstream when going out via an HTTP proxy, and the upstream connection uses the proxy's IP address as a source.

As for SOCKS, it is possible that the SOCKS connection to an http port could be intercepted or diverted via an http proxy as well (WinGate does this as an option). So then it would be up to the configuration of that proxy whether any header identifying the client was inserted or not.

But straight SOCKS does not have a way to identify the client IP to the peer.

Disclaimer: I work for Qbik who are the authors of WinGate

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .