December 29, 2025

Speed-of-light snitches, unite!

Article URL →HN comments →

Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting

Community splits: 'physics exposes proxies' vs 'old trick' as a demo stirs panic

TLDR: Aroma’s demo uses connection timing to spot TCP proxies and even flags Cloudflare WARP. Comments erupt: some say CDNs already do this and you can’t beat physics, others fear for residential proxies, while experts plot delay-padding countermeasures—expect a proxy detection arms race

A Show HN drop called Aroma claims it can spot every TCP proxy by timing your connection—basically checking round‑trip time (RTT), the send‑and‑return speed of data. The demo even flags Cloudflare WARP, and the crowd went full popcorn. One excited tester bragged it catches Brightdata’s residential proxies; another fired up an iProyal proxy and got an ironic “You don’t seem to be using a TCP Proxy!” message, fueling a wave of “does this catch my setup?” chaos.

The hottest takes? Pros say you can’t cheat physics: speed-of-light limits mean your timing gives you away, and big content networks (CDNs) already play this game. Others worry this nukes shady traffic hiding behind “normal ISP” behavior, with one commenter pleading for help against a flood of “legit” residential hits. Then came the counter‑hacker move: add artificial delay to spoof timing. In other words, it’s an arms race—detect, evade, repeat.

Memes flew fast: “latency police,” “physics-based KYC,” and “ping is a snitch.” Devs obsessively refreshing the demo and checking their score turned into a mini sport. The fine print: this is a proof‑of‑concept, focuses on TCP, and won’t catch true VPNs doing lower‑level routing—but it definitely stirred the pot.

Key Points

  • Aroma detects TCP proxies using a score computed from tcpi_min_rtt/tcpi_rtt obtained via Fastly Custom VCL from Linux tcp_info.
  • Detection thresholds: 1–0.7 normal; 0.7–0.3 normal on unstable links; 0.3–0.1 low may indicate proxy; <0.1 flagged as TCP proxy.
  • The demo provides an allowed/block page and a /score endpoint; it specifically demonstrates detection of Cloudflare WARP.
  • Aroma does not use IP intelligence and is not production-ready; it focuses on TCP proxies and may detect VPNs that use TCP proxying.
  • Technical notes relate RTT to physical distance limits and emphasize multiple timing layers (L3, L4/TCP, L7/HTTP, TLS).

Hottest takes

"I did some testing with the free one-week trial of Brightdata's residential proxies, and it does detect them too!!!" — Sakura-sx
"You can’t spoof away the speed of light" — soldthat
"Every TCP proxy (that doesn't thwart this) is detectable :)" — ericpauley

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.