Skip to content
← Field notes
DetectionJune 26, 2026· 9 min read

The TTL fingerprint that quietly outs fake mobile proxies

Why a real home 5G router passes and a proxy fronting the same router gets flagged — the difference between forwarding a packet and re-originating it, explained with the actual signals.

Trump Proxies · Network operations

PASSPASSPASSFLAGPASSTRUMP PROXIES // DETECTION FIELDASN · TTL · MTU · DNS · BEHAVIOR

Here's a puzzle that exposes how mobile-proxy detection really works. A normal person at home behind a 5G router browses Instagram all day and is never flagged. Point a proxy at the same kind of router and its traffic can get flagged as non-mobile. Same carrier, same hardware — so what changes? The answer is one of the most useful things an operator can understand: the difference between forwarding a packet and re-originating one.

The signal: TTL and the TCP stack

Every connection's first packet carries an initial TTL (time-to-live) set by the sender's operating system. Phones — Android and iOS — start at 64. Windows starts at 128. Routers and some appliances start at 255. Alongside TTL, the TCP window size, the MSS, and the *order* of TCP options together form a fingerprint that reads as "phone," "desktop," or "router/server." None of it comes from the browser; it comes from the kernel that builds the packet.

FIG · ttl path
TTL fingerprint pathREAL MOBILE LINEPHONE SENDSTTL 64CARRIER NAT −1TTL 63PLATFORM SEESTTL 63PHONEDESKTOP BEHIND A FAKE 'MOBILE' PROXYPC SENDSTTL 128PROXY BOX −1TTL 127PLATFORM SEESTTL 127NOT A PHONEOS DEFAULTS DIFFER (ANDROID/IOS 64 · WINDOWS 128) — THE HOP COUNT TELLS THE TRUTH
A real phone's packet arrives with a phone TTL. A desktop re-originated by a proxy box arrives with a desktop TTL on a carrier IP — the incoherence that flags.

Forwarding vs re-originating

When you browse from your own phone behind a home router, your phone originates the connection — real device stack, TTL 64. The router only *forwards* it: it rewrites the source IP to the carrier address and decrements the TTL by one. The destination sees the carrier IP paired with your phone's real device fingerprint. Mobile IP plus mobile stack: coherent, and it passes.

A proxy that *terminates* your connection and opens a fresh one to the target does something different: the new connection carries the proxy machine's own stack. Now the destination sees a carrier IP paired with a *server's* fingerprint. Mobile IP plus server stack: incoherent — and that mismatch is the tell.

What a good mobile proxy does about it

The fix is to make re-originated traffic look like a forwarded device packet: present a device-class TTL (64) and clamp the MSS to a mobile-link value instead of leaking VPN/proxy overhead. Traffic that terminates on an actual mobile device gets a genuine mobile TCP stack for free — that's the structural advantage of a real-device line over a server pretending to be one.

Why this should shape what you buy

This single mechanism explains why not all "4G mobile proxies" are equal. Two providers can both show you a carrier IP on ipinfo, and one of them can still be a Linux box wearing a costume that a serious platform sees through. When you evaluate a provider, don't stop at the ASN — check the fingerprint. We show you exactly how in test a proxy before you trust it.

Can I see the TTL problem myself?

Indirectly. A fingerprint checker that reports OS/TCP signals (or a fraud-score tool) will show whether the exit reads as a mobile device or a server. If a "mobile" proxy's fingerprint reads as a datacenter OS, that's the re-origination leak in action.

Does a VPN fix the TCP fingerprint?

A VPN changes where your traffic exits, but the packet is still built by your own device's kernel — so your device's TTL and stack travel with it. The point of a real-device mobile line is that the traffic terminates on a device whose stack already looks like a phone.

Run it on real hardware

Ready to try real mobile proxies?

Dedicated real-SIM lines in the USA, Austria and Germany. 7-day trial, unlimited data, self-serve portal.