Server, Client, or Relay? Dual-Role Detection of Circumvention Relays
Sultan Almutairi, Khaled Harfoush, Yannis Viniotis
https://www.petsymposium.org/foci/2026/foci-2026-0008.php
This paper shows how the “dual-role” nature of proxies—the fact that they act as both server and client—can distinguish them among other hosts in large-scale network flow data sets, even without looking at packet payloads. It takes advantage of the fact that many circumvention designs use a single–IP address architecture: the same IP address both receives connections from censored clients and initiates connections to remote destinations.
The authors propose a three-stage pipeline for identifying proxies. The pipeline relies on a few assumptions. The censor (whatever it is that is interested in classifying proxies) has the ability to monitor traffic entering and exiting its network. The censor cannot see inside encryption, but it can see source and destination IP addresses, as well as domain name metadata associated with network flows (such as may come from DNS queries, HTTP headers, and TLS SNI). The censor needs to be able to distinguish domestic IP addresses (in its own network) from foreign IP address (outside its network). Among foreign IP addresses, it needs to have knowledge of “VPS-dense ASNs”, address ranges that are more likely to host proxies. (This is used as a prefilter to reduce the volume of IP addresses that need to be analyzed.) And finally, at least some proxy traffic must end exit and then re-enter through the firewall—this may happen when a user accesses a domestic service through the circumvention proxy, or when proxy exit traffic crosses the network border in transit to another destination.
The three stages of the pipeline are:
- Candidate selection. Candidate IP addresses are those that (1) are foreign and (2) lie in VPS-dense ASNs. Other IP addresses are ignored. (Compare to the attested filtering for “popular VPS providers that could be used to host proxy servers” in “How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic”.)
- Dual-role detection. For every candidate IP address r, collect a set of timestamped (client, server) connection records where r either acts as a server for a domestic client (c, r), or acts as a client of any destination server (r, d). Whenever you see a (c, r) record followed by a (r, d) record within a time interval W, mark r as being dual-role. Dual-role IP addresses pass to the next stage; all others are discarded.
- Suspicion scoring and classification. For each remaining IP address r, compute a relay suspicion score (RSS) by looking at the domains r has connected to as a client. High-suspicion “user” domains, such as ordinary news web sites and social media, score 0.9. Low-suspicion “infrastructure” domains, such as software updates and API servers, score 0.1. The RSS for an IP address is the mean of the scores for all domains it has accessed. Finally, classify as a proxy all IP addresses whose RSS is greater than a threshold τ. (The example value given for τ is 0.5.)
The evaluation uses a 24-hour, 17 TB packet capture data set collected from the WIDE Project on 2025-04-09. The capture comes from a transit link in Japan. (So in this case, “domestic” means in Japan, and “foreign” means outside Japan, according to IP geolocation.) The nature of the data set means that connections do not have associated domains, so the authors cannot do stage 3 of the pipeline. They do not really do stage 1, either: instead they start with a set of candidate IP addresses that are identified as proxies based on protocol filtering (OpenVPN, WireGuard, SOCKS), or that are assumed to be non-proxies based on their being observed to receive connections on port 443. Stage 2 of the pipeline showed that 23% of the known proxies had the dual-role nature (true positives), while only 0.18% of the non-proxies did (false positives). (Though there were still more false positives than true positives, in absolute numbers.)