Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting

Summary

Aroma: Every TCP Proxy Is Detectable With RTT Fingerprinting Important Aroma does not use any kind of IP intelligence information, although IP intelligence information can be used to complement Aroma. Currently the score needed for detection is very low to avoid false positives, so even if it doesn't detect the proxy it may give a low score (0.3-0.1 is very low but does not flag as proxy). The current code is not ready for production, it's just to prove a point. Aroma does not currently detect VPNs or any kind of proxy which isn't a TCP Proxy, Aroma may detect VPNs that use TCP Proxying and the techniques used in Aroma are not limited to TCP and can be applied to other kinds of proxies, but for simplicity and technical reasons (there are variables of the connection that Fastly does not expose to me). A demo of Aroma detecting Cloudflare WARP (higher score is better): Note I have to admit I was a bit surprised that Aroma was detecting WARP, since I thought it was a VPN, but apparently it acts like a UDP => TCP proxy. If Aroma doesn't detect your VPN, that's normal and means your VPN is doing Layer 3 proxying. If your VPN is detected it's doing Layer 4 proxying (some privacy VPNs do this on web ports for privacy reasons). Demo If you want to check out Aroma for yourself, you can go to: https://aroma.global.ssl.fastly.net/. And you should see an "allowed" page if you are not using a TCP Proxy and a block page if you are using a proxy. If you want to get your score you can go to https://aroma.global.ssl.fastly.net/score. TL;DR explanation This is done by measuring the minimum TCP RTT (client.socket.tcpi_min_rtt) seen and the smoothed TCP RTT (client.socket.tcpi_rtt). I am getting this data by using Fastly Custom VCL, they get this data from the Linux kernel (struct tcp_info -> tcpi_min_rtt and tcpi_rtt). I am using Fastly for the Demo since they have PoPs all around the world and they expose TCP socket data to me. The score is calculated by doing tcpi_min_rtt / tcpi_rtt...