Skip to content
← Field notes
DetectionJune 28, 2026· 10 min read

How platforms actually detect proxies in 2026

Anti-bot systems score five layers at once, from the exit IP down to your mouse movements. A field guide to what's being measured — and which layers a proxy can and can't touch.

Trump Proxies · Network operations

PASSPASSPASSFLAGPASSTRUMP PROXIES // DETECTION FIELDASN · TTL · MTU · DNS · BEHAVIOR

A modern anti-bot system doesn't ask one question — it scores a stack of them at once and adds up the answers. Understanding the stack is what separates operators who stay online from operators who keep buying "premium" IPs and keep getting banned. Here are the five layers, from the network up to your behavior, and — the part most guides skip — exactly which ones a proxy controls.

FIG · fingerprint panel
Mobile fingerprint readoutWHAT A CHECKER SEESASN TYPETTLMTUDNS COUNTRYFRAUD SCOREREAL MOBILE LINEcellular carrier64 (phone)1400 (LTE)matches exitlowMISLABELLED 'MOBILE'hosting provider127 (desktop)1500 (ethernet)3rd-party, wrong georecycled / listed
What a checker sees: a clean mobile line versus a mislabelled proxy, across the signals that get scored.

Layer 1 — IP origin and ASN

The first and cheapest check: what network owns this IP? A datacenter ASN is flagged before anything else runs. A carrier ASN gets the CGNAT trust buffer. This is the layer a mobile proxy is *for* — and the only one a plain proxy fully controls.

Layer 2 — the TCP/OS fingerprint

Every operating system builds its network packets slightly differently, and those differences show up in the very first packet of a connection — before a single byte of your request. Passive fingerprinters read the initial TTL, the TCP window size, the MSS, and the *order* of TCP options, and infer your OS from them. A phone and a Linux server look completely different here.

We go deep on this in the TTL and MTU fingerprint — it's the single most common way a "mobile" proxy quietly betrays itself.

Layer 3 — the TLS handshake (JA3/JA4)

Before any HTTP is sent, your client and the server negotiate TLS, and the exact shape of that negotiation — cipher list, extensions, curves, ALPN — hashes into a stable fingerprint (JA3, and its 2023 successor JA4). Cloudflare, Akamai, DataDome and Imperva all score it. The load-bearing fact: a proxy cannot fix your TLS fingerprint. The handshake is generated by your client and passed through the tunnel unchanged, so the target sees your real TLS signature regardless of how premium the IP is.

Layer 4 — the browser/device fingerprint

Above the network sit dozens of JavaScript-exposed signals that identify your *device* independent of IP: canvas rendering, WebGL/GPU strings, audio stack, fonts, screen, timezone, languages. Roughly two-thirds of top sites fingerprint, precisely because these signals survive cookie clears and IP rotation. For multi-accounting this is the job of an anti-detect browser, which gives each identity a consistent, plausible fingerprint. The current consensus: coherent, consistent noise beats randomization, which detectors now flag on sight.

Layer 5 — behavior and the account graph

Finally, platforms watch what you do and who you resemble: posting times, follow order, navigation path, and the phone/email/payment attached to the account. They build an internal account graph and cluster identities that overlap. This is why most accounts that die behind a perfect mobile IP die here — on behavior or a shared phone/email — not on the network at all.

The division of labour

Who controls each layer. A proxy owns two of five; a serious operation covers all five.
LayerSignalControlled by
IP / ASNexit address, carrier vs hostingProxy
TCP / OSTTL, window, MSS, option orderProxy (the device that originates the connection)
TLSJA3 / JA4 handshakeClient / browser only
Devicecanvas, WebGL, audio, fontsClient (anti-detect browser)
Behaviorpacing, account graph, shared identifiersYou

A proxy supplies a clean, coherent network identity. The anti-detect browser supplies everything above the socket. Your discipline supplies the behavior. Miss any one and the score still adds up to "bot."

If a proxy can't fix TLS or device fingerprints, what's it for?

It owns the two network layers — IP origin and, when the traffic terminates on a real device, the TCP/OS fingerprint. Those are the layers you cannot fix from the client side. It's a necessary input, and it's honest to call it exactly that.

Do I really need an anti-detect browser?

For multi-account work on protected platforms, yes. The device layer links accounts even across different IPs, so without isolated, consistent fingerprints per identity, your accounts cluster and fall together regardless of how good the proxy is.

Run it on real hardware

Ready to try real mobile proxies?

Dedicated real-SIM lines in the USA, Austria and Germany. 7-day trial, unlimited data, self-serve portal.