BadB
Professional
- Messages
- 2,415
- Reaction score
- 2,362
- Points
- 113
A Deep Dive into ICE Candidate TCP Leaks
But you're immediately blocked.
The reason? WebRTC ICE TCP Candidates are a hidden mechanism that exposes an internal NAT port, even if you're behind a proxy.
Unlike UDP candidates (host, srflx), TCP candidates operate at the transport connection level and can bypass proxies, revealing:
In this article, we'll take a deep technical look at how ICE TCP Candidates work, why they're proxy-independent, and how even a port can give away your network.
ICE (Interactive Connectivity Establishment) is a WebRTC protocol for establishing peer-to-peer connections. It collects candidates—possible addresses for connection:
Firefox
Chrome / Chromium
Dolphin Anty
Windows
Linux (RDP)
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even a port can give you away.
Introduction: The Shadow Behind UDP
You're using an expensive residential proxy. You check your IP on ipleak.net —everything is clear. You're confident, "Nobody can see me".But you're immediately blocked.
The reason? WebRTC ICE TCP Candidates are a hidden mechanism that exposes an internal NAT port, even if you're behind a proxy.
Unlike UDP candidates (host, srflx), TCP candidates operate at the transport connection level and can bypass proxies, revealing:
- Internal IP (192.168.xx),
- NAT port (e.g. 54321),
- Address translation type (Full Cone, Symmetric).
In this article, we'll take a deep technical look at how ICE TCP Candidates work, why they're proxy-independent, and how even a port can give away your network.
Part 1: What are ICE TCP Candidates?
Technical definition
ICE (Interactive Connectivity Establishment) is a WebRTC protocol for establishing peer-to-peer connections. It collects candidates—possible addresses for connection:| Candidate type | Protocol | Reveals |
|---|---|---|
| Host (local) | UDP/TCP | Local IP + port |
| Server Reflexive (srflx) | UDP/TCP | Public IP + port |
| Relay | UDP/TCP | TURN server |
Key fact:
TCP candidates are often ignored, but they are active by default in Chrome/Chromium.
Part 2: Why TCP Candidates Bypass Proxies
Leakage architecture
- The proxy operates at the HTTP/HTTPS level (L7),
- WebRTC uses direct TCP connections (L4),
- The browser requests the OS for a list of all network interfaces,
- The NAT port is allocated by the OS kernel and is independent of the proxy.
True:
The proxy hides the public IP, but does not affect the NAT port.
Part 3: How TCP Candidates Reveal the Network
Types of candidates and their dangers
| Type | Example | Reveals |
|---|---|---|
| Host TCP | 192.168.1.5:54321 | Local IP + port |
| srflx TCP | 203.0.113.45:12345 | Public IP + NAT port |
| Relay TCP | 198.51.100.1:50000 | TURN server |
The special danger of srflx TCP:
It shows the public IP + NAT port, which:
- Unique for each session,
- May give NAT type (Symmetric vs Full Cone).
Part 4: How NAT Type Reveals Infrastructure
NAT Types Table
| NAT type | Port for different sessions | Infrastructure |
|---|---|---|
| Full Cone | Permanent port | Home router |
| Symmetric | New port every time | VPS, corporate firewall |
| Port Restricted | Depends on the destination address | Cloud servers |
You declare your home IP, but the NAT port changes every session → the system sees: “This is a VPS” → fraud score = 95+
Part 5: How to Check for TCP Candidate Leaks
Step 1: Use test sites
- https://browserleaks.com/webrtc - shows all ICE candidates,
- https://ipleak.net — filter by TCP.
Step 2: Analysis via JavaScript
JavaScript:
const pc = new RTCPeerConnection();
pc.createDataChannel('');
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = e => {
if (e.candidate && e.candidate.protocol === 'tcp') {
console.log('TCP Candidate:', e.candidate.candidate);
// Пример вывода:
// candidate:1234567890 1 tcp 2122260223 192.168.1.5 54321 typ host tcptype active
}
};
If the list contains host TCP or srflx TCP, you have already been exposed.
Part 6: How to Completely Block TCP Candidates
Browser level
Firefox- Enter about:config,
- Find:
- media.peerconnection.ice.tcp → false.
Chrome / Chromium- There is no built-in way to disable TCP candidates,
- Use anti-detect browsers.
Dolphin Anty- When creating a profile,
- In the WebRTC section,
- Select: "Disable WebRTC" or "Hide Local IP".
OS level
Windows- Open PowerShell (Administrator),
- Run:
powershell:
Code:# Disable TCP in WebRTC Set-NetTCPSetting -SettingName InternetCustom -ForceWS Disabled
Linux (RDP)- Disable TCP BBR:
Bash:echo 'net.core.default_qdisc=fq' >> /etc/sysctl.conf echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.conf sysctl -p - Block outgoing TCP ports >1024:
Bash:sudo ufw deny out from any port 1025:65535 proto tcp
Part 7: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Disabling only UDP candidates | TCP candidates remain → leak |
| Ignoring NAT port | NAT type is issued by VPS → flag |
| Using a VPS without network configuration | Symmetric NAT → instant ban |
75% of failures are due to WebRTC TCP candidates, even with perfect IP.
Part 8: Practical Guide - Complete Blocking
Step 1: Set up RDP
- Install Windows 10 Pro on bare metal (Hetzner AX41),
- Disable Bonjour/mDNS,
- Change the hostname to generic (eg PC-WIN10).
Step 2: Configure your browser
- Use Dolphin Anty,
- Turn on «Disable WebRTC»,
- Check at browserleaks.com/webrtc
Step 3: Automate the check
- Add a WebRTC verification script to the beginning of each session,
- If TCP candidates are found, abort the operation immediately.
Conclusion: The Port – a New Imprint
WebRTC ICE TCP Candidates aren't just a technical detail. They're a window into your local network that no proxy can block.Final thought:
True anonymity isn't the absence of leaks.
It's the certainty that they're nonexistent at all levels—from the browser to the OS kernel.
Stay technically accurate. Stay paranoid.
And remember: in the world of network security, even a port can give you away.
