SOCKS Proxy Primer: What Is SOCKs5 and Why Should You …
co-authored by Darshan S. Mulimath, Megha B. Sasidhar, and Ashiq Khader
In computer networks, a proxy or proxy server is a computer that sits between you and the server. It acts as a gateway between a local network and a large-scale network, such as the internet.
A proxy server works by intercepting connections between sender and receiver. All incoming data enters through one port and is forwarded to the rest of the network via another port.
Aside from traffic forwarding, proxy servers provide security by hiding the actual IP address of a server. They also have caching mechanisms that store requested resources to improve performance. A proxy server can encrypt your data so it is unreadable in transit and block access to certain webpages based on IP address.
Now that we have a general sense of how a proxy works, let’s zoom in on a specific type of proxy — SOCKS — and, specifically, the SOCKs5 variant.
What Is a SOCKS Proxy?
SOCKS, which stands for Socket Secure, is a network protocol that facilitates communication with servers through a firewall by routing network traffic to the actual server on behalf of a client. SOCKS is designed to route any type of traffic generated by any protocol or program.
A SOCKS proxy server creates a Transmission Control Protocol (TCP) connection to another server behind the firewall on the client’s behalf, then exchanges network packets between the client and the actual server. The SOCKS proxy server doesn’t interpret the network traffic between client and server in any way; it is often used because clients are behind a firewall and are not permitted to establish TCP connections to outside servers unless they do it through the SOCKS proxy server. Therefore, a SOCKS proxy relays a user’s TCP and User Datagram Protocol (UDP) session over firewall.
SOCKS is a layer 5 protocol, and it doesn’t care about anything below that layer in the Open Systems Interconnection (OSI) model — meaning you can’t use it to tunnel protocols operating below layer 5. This includes things such as ping, Address Resolution Protocol (ARP), etc. From a security perspective, it won’t allow an attacker to perform scans using tools such as Nmap if they are scanning based on half-open connections because it works at layer 5.
Since SOCKS sits at layer 5, between SSL (layer 7) and TCP/UDP (layer 4), it can handle several request types, including HTTP, HTTPS, POP3, SMTP and FTP. As a result, SOCKS can be used for email, web browsing, peer-to-peer sharing, file transfers and more.
Other proxies built for specific protocols at layer 7, such as an HTTP proxy that is used to interpret and forward HTTP or HTTPS traffic between client and server, are often referred to as application proxies.
There are only two versions: SOCKS4 and SOCKs5. The main differences between SOCKs5 and SOCKS4 are:
SOCKS4 doesn’t support authentication, while SOCKs5 supports a variety of authentication methods; and
SOCKS4 doesn’t support UDP proxies, while SOCKs5 does.
A SOCKs5 proxy is more secure because it establishes a full TCP connection with authentication and uses the Secure Shell (SSH) encrypted tunneling method to relay the traffic.
Why You Should Adopt SOCKs5
Below are four key benefits to using a SOCKs5 proxy with SSH tunneling.
1. Access Back-End Services Behind a Firewall
Usually, a cluster is hosted in the cloud behind a firewall to minimize potential security vulnerabilities. There are two ways to access any backend services that are running inside a cluster, and each has its limitations:
Expose backend services to public (and accept the associated security risk); or
Whitelist the client or user’s IP to allow traffic to backend services (this is not the right solution for when a user’s IP changes, however).
A SOCKs5 proxy with dynamic port forwarding using SSH can be an alternative to the two undesirable options above. An administrator or developer could access any backend services within a cluster that is hosted in the cloud behind a firewall for debugging, monitoring and administrating from a public network without exposing the backend service ports or whitelisting specific IPs.
Let’s look at a use case. For security reasons, the administration or monitoring application APIs or web user interface (UI) ports for monitoring Hadoop cluster are closed by default when hosted on the cloud. To access these APIs or web UIs, you can use SSH dynamic port forwarding to master or edge a node cluster, since the master node will have a public IP and run SSH services by default, which is exposed so the user can connect from outside.
For another example, say you’re working with a virtual private cloud (VPC). You can deploy a bastion host to securely access remote instances within a VPC by limiting their access to the outside world. You can access the bastion host from the outside world, and only port 22 (SSH) is opened. Using SSH dynamic port forwarding (SOCKs5 proxy), you can access the remote instances that are running in the VPC.
2. No Special Setup Required
SOCKs5 doesn’t require special setup, as long as you have SSH access to either the Edge node or gateway of a cluster. Therefore, users such as administrators and developers can access back-end resources behind the firewall using an SSH tunnel without requiring a virtual private network (VPN).
3. No Third-Party Public or Free Proxy Server in Your Deployments
Since a SOCKs5 proxy routes all kinds of TCP and UDP traffic to their respective service through SSH tunneling, no layer 7 application-related special proxies are required for each service to route application requests.
4. Fewer Errors, Better Performance
Unlike other application proxies, SOCKs5 does not rewrite data packets. It just relays the traffic between devices. Therefore, it is less prone to errors, and performance increases automatically.
How Does SOCKs5 Work in Practice?
Any CISO wouldn’t jump at the chance to embrace the benefits listed above. But what does a SOCKs5 proxy look like in the context of an enterprise security strategy? Where do security leaders begin when implementing SOCKs5 in their environment? Below are some key steps to help you get started.
Setting Up a SOCKs5 Proxy Connection
To SOCKSify an IT environment, the client application must have the capacity to support the SOCKs5 protocol. The syntax below is based on the SSH client on Linux; it shows how to create a SOCKs5 proxy server running on your local computer and then authenticate to the Edge node of a cluster or gateway hosted on cloud that routes traffic to the servers inside the cluster:
$ ssh -D 30001 [email protected] -C -f -N (password: xyz; or
$ ssh -i /path/to/private_key -D 30001 [email protected] -C -f -N
The above command starts the SOCKs5 server and binds to port 30001, then connects to Edge Node, Master Node or Gateway Node over the SSH tunnel hosted on the cloud.
The options used in the above command do the following:
D 30001 tells SSH to create a SOCKs5 server on port 30001 on the client computer.
C compresses data before sending.
N means “Do not execute a remote command. ” This is useful for simply forwarding ports (protocol version 2 only).
F requests SSH to go to the background just before command execution.
Accessing the Endpoints Using the SOCKs5 Protocol
Once a SOCKs5 proxy is created, configure your clients to access the internal services of the cluster. To keep it simple, we use a command line URL (cURL) that supports the SOCKs5 protocol. Other methods such as using a web browser require some additional setup and configurations.
The below cURL command shows how to access one of the HTTPS application endpoints listening on port 8000 behind a firewall using the SOCKs5 proxy over the SSH tunnel created above:
curl -x socks5hlocalhost:30001 -v -k -X GET EdgeNodeSSHserverIP:8000
The above cURL tool connects to port 30001 on localhost. Upon receiving a HTTP GET request on port 30001 from the cURL, the SSH client sends the same request via SSH tunnel to the SSH server.
The remote SSH server handles the request and passes the request to a back-end service listening at port 8000. The response is sent back to the client over the same SSH tunnel to the client’s SOCKs5 proxy. The proxy relays the response to the cURL, which displays the response.
Once you have created a SOCKs5 proxy using the SSH dynamic port forwarding method, you can also use the netcat utility to test the TCP connection. As shown below, a TCP connection test is made for back-end services listening at port 8443 with the SOCKs5 proxy:
ncat –proxy 127. 0. 1:30001 –proxy-type socks5 EdgeNodeSSHserverIP 8443 -nv
A SOCKs5 proxy is a lightweight, general-purpose proxy that sits at layer 5 of the OSI model and uses a tunneling method. It supports various types of traffic generated by protocols, such as HTTP, SMTP and FTP. SOCKs5 is faster than a VPN and easy to use. Since the proxy uses a tunneling method, public cloud users can access resources behind the firewall using SOCKs5 over a secured tunnel such as SSH.
SOCKS vs HTTP Proxy: What Is the Difference? – Blog | Oxylabs
Choosing between a SOCKS vs HTTP proxy requires a thorough understanding of how each type works and what configurations they convey. Only then you will be able to easily juggle between different types of proxies, as well as to find the best option for your specific use case.
In this article, we will outline what HTTP and SOCKS proxies are, how they operate, and what benefits each brings. Also, we will compare both proxy types and dwell on the differences between SOCKS proxies vs HTTP proxies.
Navigation:What are HTTP proxies? What are SOCKS proxies? Reasons to use SOCKS and HTTP proxies SOCKS vs HTTP proxies: the main differencesWrapping up
What are HTTP proxies?
HTTP stands for HyperText Transfer Protocol and is the foundation of any data exchange across the internet. It is a connectionless text-based protocol that allows fetching resources, like HyperText Markup Language (HTML) or other scripting languages, like CSS, and transmitting from web servers to web browsers.
HTTP is generally called a client-server protocol since it helps clients (usually web browsers) send requests to servers for data elements, such as pages, images, or videos. After the request is served, the connection between the web browser and server ends. Therefore, each request requires a new connection.
As the name implies, an HTTP proxy is specifically made for HTTP connections and operates via the same client-server model. Like any other regular proxy, it also acts as an intermediary: HTTP proxy stands between a server and a client (web browser) by transmitting requests and delivering the resource back to the client in HTTP format.
HTTP proxies can help cover many business use cases with high security and privacy
What are SOCKS proxies?
SOCKS is another internet protocol. It stands for SOCKet Secure and is commonly used for traffic-intensive tasks, like content streaming or P2P sharing. SOCKS uses a Transmission Control Protocol (TCP) connection that is designed to send and receive data packets across the internet, as well as to guarantee successful delivery of resources over networks.
When using SOCKS proxies, the internet traffic is routed through a proxy server via TCP connection on behalf of a client. Just like most other proxy types, SOCKS proxies hide the client’s IP address and serve when bypassing geo-restrictions.
Unlike HTTP, SOCKS cannot interpret web data. However, they are mostly used to facilitate communication with websites that have a firewall and limit regular client access. Most importantly, SOCKS proxies work on any kind of network protocol on any port.
What is SOCKS5? SOCKS5 is the latest edition of the SOCKS protocol. Compared with the older versions, SOCKS5 supports TCP or UDP connections and provides enhanced security.
Reasons to use SOCKS and HTTP proxies
Now we are going to outline why you should use SOCKS or HTTP proxies.
HTTP proxies are a reliable choice for many businesses that need to cover numerous goals and use cases. The HTTP proxy’s server configuration can be set according to your needs. Here are the main pros of using an HTTP proxy:
Clean data. While operating as a middleman between a client and its destination, an HTTP proxy has the ability to understand data. This means that an HTTP proxy can be set up for content filtering or caching web data. Therefore, HTTP proxies help extract relevant data from websites and avoid collecting what is unnecessary. Advanced security. HTTP proxies add an additional layer of security while detecting and denying suspicious data packets, such as spyware or malformed content, trying to enter your crease your scraper’s success rate. HTTP proxies are used for configuring HTTP request headers. This practice can help you to facilitate access to restricted targets and lower your chances of getting blocked. If you are interested in how to enhance your web scraping operations, read our article on “5 Key TTP Headers for Web Scraping. ”
Since SOCKS proxies are compatible with any network protocol or port, they can be used in multiple applications and in a wealth of scenarios. We have listed several reasons why SOCKS proxies can be beneficial:
Firewalls. As we already mentioned, SOCKS proxies can be an excellent choice for cases that involve firewalls. Whenever clients are behind a firewall and want to initiate arbitrary TCP connections to servers that are outside, they might not be able to. This is where SOCKS proxies come to play and make it happen. (In fact, this also applies to HTTP proxies – the firewall may restrict a client’s access to certain websites via an HTTP connection. )Compatibility with any network protocol or port. Unlike an HTTP proxy that establishes only an HTTP connection, SOCKS can go through TCP. Also, SOCKS5 proxies can use User Datagram Protocol (UDP) connection to deliver datagrams over a network, ensuring efficient performance.
SOCKS vs HTTP proxies: the main differences
The final decision on which proxy type you should choose depends mostly on your goals and needs. Equipped with the knowledge of both proxy types, we can now highlight their main differences.
Ensuring privacy and security play an important role in the whole purpose of using a proxy. Both HTTP and SOCKS proxies act as mediators between a client and a server in order to secure your online activities and make them harder to be traced.
HTTP proxies are widely used for email protection and cybersecurity projects due to their ability to understand data packets and filter them according to specific needs. This also can be useful for web scraping and data mining activities.
Although HTTP proxies can only handle HTTP(S) traffic, their configurations can be set according to numerous use cases. Since HTTP proxies can interpret network traffic between a client and a web server, they can spot repeated requests or cache responses.
As for SOCKS proxies, they are not liable to specific network protocols, thus can be more flexible to employ. As they are unable to understand network traffic, they are perfect for accessing connections behind the firewall.
As with any other proxy type, we generally advise on choosing private proxies if speed measures are of great importance to to their ability to filter data or cache web pages, HTTP proxies can fuel your scraping operations, as well as enhance load speeds and performance. As a result, these proxies allow you to manage more requests per second.
On the other hand, SOCKS proxies are widely appreciated for their speed as they are easier to apply: this makes them a right fit for downloading, transferring, and uploading web data online.
SOCKS proxyHTTP proxySecuritySOCKS proxies do not have standard tunnel proxies can add a layer of security between the client and the server and can detect and deny suspicious data packets or ctionalitySOCKS proxies do not directly use the HTTP protocol. It is commonly used for more general purposes such as content streaming and P2P file sharing. Since SOCKS proxies are protocol-agnostic, unlike HTTP proxies, they do not directly interpret or manipulate proxied proxies are more flexible to deploy as they are not bound to specific network protocols. They are great for accessing connections that are behind a proxies handle HTTP(S) traffic which is often used for retrieving information via web browsers. However, they can be configured for different use cases. HTTP proxies can interpret network traffic between web servers and clients. Thus, they can be set up to filter content or cache web rformanceSOCKS proxies offer great speeds, making them ideal for downloading or transferring data via the rare software clients or very specialized systems may only support ivate HTTP proxies deliver decent load speeds and are better suited for managing more requests per second.
There is no question of rivalry since selecting between SOCKS vs HTTP proxies depends on your use case and needs. SOCKS may be a reliable choice for projects that involve downloading and transferring large amounts of data. On the other hand, HTTP proxies may be ideal for filtering data for security or performance reasons. If in doubt, if your target is HTTP(S), HTTP proxies should work just fine for you. Oxylabs’ HTTP proxies are considered as one of the most stable proxy types on the market.
If you want to learn more about web scraping, read our step-by-step Python Web Scraping Tutorial. And if you consider which solution meets your business needs, do not hesitate and contact our sales team for further advice and assistance.
About Vejune Tamuliunaite
Vejune Tamuliunaite is a Product Content Manager at Oxylabs with a passion for testing her limits. After years of working as a scriptwriter, she turned to the tech side and is fascinated by being at the core of creating the future. When not writing in-depth articles, Vejune enjoys spending time in nature and watching classic sci-fi movies. Also, she probably could tell the Star Wars script by heart.
All information on Oxylabs Blog is provided on an “as is” basis and for informational purposes only. We make no representation and disclaim all liability with respect to your use of any information contained on Oxylabs Blog or any third-party websites that may be linked therein. Before engaging in scraping activities of any kind you should consult your legal advisors and carefully read the particular website’s terms of service or receive a scraping license.
Under Attack: How Threat Actors are Exploiting SOCKS Proxies
From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise, but can also be exploited by cybercriminals for nefarious reasons. Take a look at how SOCKS proxies have been manipulated recently by threat actors.
What is a SOCKS Proxy?
SOCKS, which stands for Socket Secure, is an internet protocol that enables the exchange of packets between a client and a server through a proxy server.
According to the Internet Engineering Task Force, the protocol is “designed to provide a framework for client-server applications in both the TCP (transmission control protocol) and UDP (user datagram protocol) domains to conveniently and securely use the services of a network firewall. ”
A proxy server functions as an intermediary for requests from a client in an internal network seeking services or resources from the internet. The proxy server has its own public IP address.
There are a number of use cases for a proxy server: to improve network security, carry out actions anonymously, balance network traffic, control employee internet usage and provide faster network speeds by compressing traffic, caching files and stripping ads from websites.
There are currently two versions of SOCKS: SOCKS4 and SOCKS5. SOCKS5 is the current version of the protocol. It supports a variety of authentication methods, as well as User Datagram Protocol (UDP) proxies.
There are several benefits to using the latest version of SOCKS for a proxy server. First, it enables an administrator to access backend services remotely within a cluster hosted in the cloud behind a firewall, without exposing the backend service ports. Second, it does not require anything special as long as there is secure shell (SSH) access to either the Edge node or gateway. Third, a SOCKS5 proxy can route test TCP (TTCP) and UDP traffic through SSH tunneling. Therefore, each service does not require a unique proxy to send requests. And finally, it does not rewrite data packets, so it makes fewer errors and improves performance.
SOCKS5 Proxies Used in Supercomputer Attacks
Unfortunately, a SOCKS proxy can be abused by attackers to carry out various types of nefarious activities.
A recent example involves cryptomining attacks on academic supercomputers used to conduct advanced research. The attackers were able to connect to a SOCKS5 proxy host running a microSOCKS instance on a high port. They did this by exploiting an SSH connection from the anonymous Tor network, according to research by the European Grid Infrastructure Foundation’s computer security incident response team. MicroSOCKS is a multithreaded, small SOCKS5 server.
Normally, researchers use the SSH connection to log in to the supercomputers remotely. The attackers were able to steal the SSH credentials and move between supercomputers using the stolen SSH credentials. The attackers then used the supercomputers to mine cryptocurrency.
The academic institutions running the supercomputers had to shut them down to clear the cryptomining malware, disrupting valuable academic research.
SOCKS5 Exploited by Dark Nexus Botnet
In another recent attack, the Dark Nexus internet of things (IoT) botnet was able to enlist a SOCKS proxy in a scheme offering distributed denial-of-service (DDoS) attacks for hire services.
The Dark Nexus attackers infect IoT devices and then run a SOCKS5 proxy on a randomly chosen port that connects with the command and control server as part of the registration, based on a Bitdefender analysis.
Bitdefender researchers believe the attackers are selling access to the SOCKS5 proxies on an underground forum. However, they do not have direct evidence to support this belief.
In addition, the Gwmndy botnet abused SOCKS proxy servers. Gwmndy attackers targeted Fiberhome routers and added 200 routers per day to their botnet, stopping after reaching that number, according to 360 Netlab researchers.
Instead of using the botnet for DDoS attacks, cryptojacking, sending spam or stealing data, the Gwmndy botnet operators appeared to use the routers for SSH tunneling proxy nodes and creating a SOCKS5 proxy service locally.
Ransomware Attackers Abuse SOCKS Proxies
Ransomware attackers also use SOCKS proxies. The QNAPCrypt ransomware, which focused on infecting network-attached storage Linux devices, exploited authentication methods used by companies to establish connections through a SOCKS5 proxy, according to Intezer researchers.
Central to the multistage QNAPCrypt ransomware attack is a SOCKS5 proxy. First, the ransomware connects to a SOCKS5 proxy. The proxy requests the victim’s configuration keys to retrieve the ransomware client from an Onion domain. It retrieves an RSA public key, unique Bitcoin wallet and ransom note from the Onion domain. After going through the SOCKS5 proxy again, the ransomware proceeds to encrypt the victim’s systems using the retrieved keys.
While most ransomware attacks target Windows systems, QNAPCrypt joins a growing list of ransomware going after Linux-based systems.
Cloud Snooper and SOCKS Proxies
Cloud Snooper malware uses a SOCKS proxy to bypass firewalls in cloud infrastructure. The malware, a backdoor trojan, can be executed as a command-line tool and as a daemon.
Cloud Snooper opens HTTP or domain name system (DNS) services on an infected system and enables traffic tunneling, operating both as a reverse SOCKS5 proxy server and client, explains SophosLabs researchers. The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation.
The malware then abuses and WinDivert to start a SOCKS4 proxy on infected computers. This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client. The client proxies the request to the website and returns the response and the HTML page to the server.
Using SOCKS proxy and other stealth components enables the malware to “fly under the radar” for a while. Therefore, it is best to use strong authentication to lessen the risk that SOCKS proxies are hijacked by attackers.
Frequently Asked Questions about socks proxys
What is the difference between HTTP and SOCKS proxy?
HTTP proxies can add a layer of security between the client and the server and can detect and deny suspicious data packets or spyware. SOCKS proxies do not directly use the HTTP protocol. It is commonly used for more general purposes such as content streaming and P2P file sharing.Jun 8, 2021
Where can I buy SOCKS proxies?
SOCKS5 proxy126.96.36.199:10307 United States188.8.131.52:10471 United States184.108.40.206:64716 United Kingdom220.127.116.11:39592 Ukraine18.104.22.168:19828 Ukraine11 more rows
What is SOCKS proxy malware?
The SOCKS5 proxy server used by the malware is based on the open-source sSOCKS proxy implementation. … This turns them into proxies for sending malicious traffic. Next, the malware connects to the attackers’ command and control server. The server uses the SOCKS4 protocol to send an HTTP request to the client.Sep 3, 2020