How Websites Know You're a Bot (Even With a Perfect Proxy)
You can spend real money on a flawless proxy: a residential IP in exactly the right city, on a genuine home connection, with clean history and nothing on any blocklist. You route your traffic through it, load the site, and within a second or two the site quietly decides you are not a real person. No error. No warning. Just an endless captcha, an empty feed, or an account that gets limited for reasons you can’t see.
The strange part is that the IP was never the problem. The IP is the one thing that was actually right. So how does a website know it’s a bot when the network address looks perfect? The answer is a stack of signals that sit on top of the IP, and understanding it is less about beating these systems than about seeing the invisible layer of judgement that now sits under everything you do online.
The IP is one signal, not the whole story
A proxy changes one thing: where your request appears to come from. It swaps the network origin. It does not change your browser, your machine, or the way you move a mouse and click. People fixate on the IP because it’s the part you can buy and the part that’s easy to understand. But to a modern detection system, the IP is a single column in a very wide table. A perfect score in one column doesn’t save you when every other column looks wrong.
Detection isn’t a single locked door. It’s a hundred small windows, and you have to look natural through all of them at once.
Three layers of identity
It helps to split online identity into three layers:
- Network — your IP and everything around it (ownership, reputation, history).
- Device — your browser and the machine underneath it.
- Behavior — how the thing on the other end actually acts, over time.
A proxy only touches the first layer. Almost all real detection now happens in the second and third, because they are far harder to fake and far more revealing.
Your connection has a fingerprint
Before a single page loads, your software introduces itself. When an encrypted connection is set up, the client sends a detailed “hello” describing how it wants to talk: the order of options, supported versions, the little extensions it lists. That varies between a real browser, a real phone, and an automated tool wearing a browser costume. Security teams turn that hello into a short signature. A real browser produces a familiar one; a scripted client often produces a signature no real browser would ever send.
The address can say “Singapore home broadband” all it likes. If the handshake says “automation library,” the two stories don’t match, and a mismatch is exactly what these systems are built to find.
It goes deeper. The modern web bundles and prioritises requests in a particular rhythm. Header order, stream weighting, the framing underneath all form additional fingerprints, even when the visible headers have been copied perfectly. There are dozens of these low-level traits a normal person never thinks about, because their real browser sets them correctly without trying. Faking a browser by hand means getting every one of them right at once, which is genuinely hard.
The browser paints a unique picture
Once a site can run a little code in your browser, it can ask a long list of innocent questions: which fonts are installed, your screen resolution, how your graphics card draws a hidden image pixel for pixel, how your audio stack rounds a tiny calculation, how much memory and how many processors you report. None of these is secret alone. Stacked together they form a pattern specific enough to recognise the same device again later, across different sessions and different IPs.
This is device fingerprinting, and it’s why changing your network address often does nothing. You walked in wearing a new coat, but it’s the same face, and the doorman was never looking at the coat.
Automated browsers leak in their own ways, too. Frameworks set flags a normal browser never sets; controlled pages expose properties that only exist when a program is driving. Teams sand these tells off, and detection teams find new ones. The asymmetry is the point: the defender only has to notice one thing out of place; the imitator has to be flawless across everything.
Even a clean IP has a past
Even at the network layer the story is richer than one number. Every IP sits in a block owned by some provider, and that ownership is public. Entire databases exist only to label which addresses are home broadband, which are data centers, which belong to known proxy services, and which have misbehaved before. A residential address scores better than a data-center one, but it still has a reverse lookup, an owning network, and a reputation that builds over time. If thousands of requests for thousands of accounts pour through one “residential” address, it stops behaving residential, whatever the label says.
When your clock argues with your address
One of the most elegant checks costs the defender almost nothing. Your address suggests a location. Your browser also quietly reveals your timezone, language, and how your system formats numbers and dates. A real person in Singapore has a Singapore address, a Singapore clock, and local settings, because that’s just their life. Someone borrowing a Singapore address from a distant server often forgets the machine underneath still thinks it’s somewhere else. The address says one city; the clock says another. That single contradiction is a strong signal.
The way you move is a signal
Behavior is the hardest layer to fake. Real people move a mouse in slightly curved, imperfect paths. They pause, overshoot a button, correct. They scroll unevenly, read, hesitate, and type with natural gaps and bursts. Automated activity, unless it works very hard not to, tends to be too clean: straight movements, identical timing, clicks dead-center every time, forms filled faster than anyone could read. The same family of technology lets your bank notice when an account that normally behaves one way suddenly behaves like a machine.
Zoom out and there’s a layer that only appears across many users at once. One session can look fine in isolation, but defenders see everything together: hundreds of accounts sharing one device fingerprint, activity arriving in perfectly even intervals with no sleep or weekends, brand-new accounts all taking the same path at the same speed. No single request is the problem. It’s the shape of the crowd. This is where scale, which feels like strength, quietly becomes the biggest weakness.
How the signals come together
None of this is a single tripwire. Early systems used simple rules (one bad sign and you’re blocked) and were easy to game. Modern systems collect every signal: the handshake, the headers, the device fingerprint, the location agreement, the behavior, the history, and feed them into a risk score. No single mismatch convicts you. The system asks a softer question: given everything together, how human does this look, and how much do we trust it?
A slightly odd browser on a clean home address behaving like a real person might pass. A flawless home address attached to a tool that handshakes like a script, has no graphics fingerprint, moves in straight lines, and shares its device with two thousand accounts does not. The IP was real. Nothing else was, and nothing else agreed.
Why the defenders usually win
There’s a deep asymmetry to the whole contest. Anyone trying to look perfectly human has to win on every layer at once (network, connection fingerprint, device, location story, behavior, long-term pattern) and keep winning as the checks change underneath them. The defender only has to catch one thing that doesn’t fit, and gets to watch millions of real people every day, which means an always-current picture of what “normal” looks like. That’s why a better IP rarely fixes anything for long: it upgrades the one layer that was never the bottleneck.
What this is really about
Here’s the part worth sitting with: this is the same machinery that protects you. The systems that flag a suspicious login are the reason your own accounts are hard for a stranger to take over from another country. The fingerprinting that frustrates a bot is the same fingerprinting that catches a thief using your stolen password on a device that has never been you. It’s a genuine double edge. Understanding how it works isn’t about beating it. It’s about seeing the layer of judgement that now decides, in the time it takes a page to load, whether the internet believes you’re real.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.