From Wikipedia, the free encyclopedia
  (Redirected from SOCKS proxy)
Jump to navigation Jump to search

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

SOCKS performs at Layer 5 of the OSI model (the session layer, an intermediate layer between the presentation layer and the transport layer). SOCKS server accepts incoming client connection on TCP port 1080.[1][2]


The protocol was originally developed/designed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon Graphics in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium[3], making SOCKS publicly available.[4] The protocol was extended to version 4 by Ying-Da Lee of NEC.

The SOCKS reference architecture and client are owned by Permeo Technologies,[5] a spin-off from NEC. (Blue Coat Systems bought out Permeo Technologies.)

The SOCKS5 protocol was originally a security protocol that made firewalls and other security products easier to administer.[1] It was approved by the IETF in 1996.[1] The protocol was developed in collaboration with Aventail Corporation, which markets the technology outside of Asia.[6]


SOCKS is a de facto standard (in practice standard) for circuit-level gateways.[citation needed]

Another use of SOCKS is as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e.g., by governments, workplaces, schools, and country-specific web services.[7]

Some SSH suites, such as OpenSSH, support dynamic port forwarding that allows the user to create a local SOCKS proxy.[8] This can free the user from the limitations of connecting only to a predefined remote port and server.

The Tor onion proxy software presents a SOCKS interface to its clients.[9]

Use in cybercrime[edit]

Hacked computers may be configured as SOCKS proxy software obscuring control of a botnet or to optimise credit card fraud.[10][11][12][13]

Comparison to HTTP proxying[edit]

SOCKS operates at a lower level than HTTP proxying: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible, whereas a regular proxy may interpret and rewrite headers (say, to employ another underlying protocol, such as FTP; however, an HTTP proxy simply forwards an HTTP request to the desired HTTP server). Though HTTP proxying has a different usage model in mind, the CONNECT method allows for forwarding TCP connections; however, SOCKS proxies can also forward UDP traffic and work in reverse, while HTTP proxies cannot. HTTP proxies are traditionally more aware of the HTTP protocol, performing higher-level filtering (though that usually only applies to GET and POST methods, not the CONNECT method).[citation needed]


Bill, or any client for that matter, wishes to communicate with Jane over the internet, but a firewall between them exists on his network, where Bill is not authorized to communicate with Jane directly. So, Bill connects to the SOCKS proxy on his network, informing it about the connection he wishes to make to Jane; the SOCKS proxy opens a connection through the firewall and facilitates the communication between Bill and Jane.

For more information on the technical specifics of the SOCKS protocol, see the sections below.


Bill wishes to download a web page from Jane, who runs a web server. Bill cannot directly connect to Jane's server, as a firewall has been put in place on his network. In order to communicate with the server, Bill connects to his network's HTTP proxy. His web browser communicates with the proxy in exactly the same way that it would directly with Jane's server if that were possible; that is, it sends a standard HTTP request header. The HTTP proxy connects to Jane's server, and then transmits back to Bill any data that Jane's server returns.[14]



A typical SOCKS4 connection request looks like this:

First packet to server
Byte Count 1 1 2 4 Variable 1

VER: SOCKS version number, 0x04 for this version

CMD: command code:

  • 0x01 = establish a TCP/IP stream connection
  • 0x02 = establish a TCP/IP port binding

DSTPORT: port number (in network byte order)

DESTIP: IPv4 Address, 4 bytes (in network byte order)

ID: the user ID string, variable length

NULL: Escape with 0x00

Response packet from server
Byte Count 1 1 2 4

RSV: null byte

REP: reply code

Byte Meaning
0x5A Request granted
0x5B Request rejected or failed
0x5C Request failed because client is not running identd (or not reachable from server)
0x5D Request failed because client's identd could not confirm the user ID in the request

DSTPORT: should be ignored

DSTIP: should be ignored

For example, this a SOCKS4 request to connect Fred to, the server replies with an "OK":

  • Client: 0x04 | 0x01 | 0x00 0x50 | 0x42 0x66 0x07 0x63 | 0x46 0x72 0x65 0x64 0x00
    • The last field is "Fred" in ASCII, followed by a null byte.
  • Server: 0x00 | 0x5A | 0xXX 0xXX | 0xXX 0xXX 0xXX 0xXX
    • 0xXX can be any byte value. The SOCKS4 protocol specifies that the values of these bytes should be ignored.

From this point onwards, any data sent from the SOCKS client to the SOCKS server is relayed to, and vice versa.

The command field may be 0x01 for "connect" or 0x02 for "bind"; the "bind" command allows incoming connections for protocols such as active FTP.


SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address;[15] this is useful when the client itself cannot resolve the destination host's domain name to an IP address.

The client should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value. (This corresponds to IP address 0.0.0.x, with x nonzero, an inadmissible destination address and thus should never occur if the client can resolve the domain name.) Following the NULL byte terminating USERID, the client must send the destination domain name and terminate it with another NULL byte. This is used for both "connect" and "bind" requests.

Client to SOCKS server:

  • field 1: SOCKS version number, 1 byte, must be 0x04 for this version
  • field 2: command code, 1 byte:
    • 0x01 = establish a TCP/IP stream connection
    • 0x02 = establish a TCP/IP port binding
  • field 3: port number, 2 bytes
  • field 4: deliberate invalid IP address, 4 bytes, first three must be 0x00 and the last one must not be 0x00
  • field 5: the user ID string, variable length, terminated with a null (0x00)
  • field 6: the domain name of the host to contact, variable length, terminated with a null (0x00)

Server to SOCKS client:

  • field 1: null byte
  • field 2: status, 1 byte:
    • 0x5A = request granted
    • 0x5B = request rejected or failed
    • 0x5C = request failed because client is not running identd (or not reachable from the server)
    • 0x5D = request failed because client's identd could not confirm the user ID string in the request
  • field 3: port number, 2 bytes (in network byte order)
  • field 4: IP address, 4 bytes (in network byte order)

A server using protocol SOCKS4a must check the DSTIP in the request packet. If it represents address 0.0.0.x with nonzero x, the server must read in the domain name that the client sends in the packet. The server should resolve the domain name and make connection to the destination host if it can.


The SOCKS5 protocol is defined in RFC 1928. It is an extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The initial handshake consists of the following:

  • Client connects and sends a greeting, which includes a list of authentication methods supported.
  • Server chooses one of the methods (or sends a failure response if none of them are acceptable).
  • Several messages may now pass between the client and the server, depending on the authentication method chosen.
  • Client sends a connection request similar to SOCKS4.
  • Server responds similar to SOCKS4.

The authentication methods supported are numbered as follows:

  • 0x00: No authentication
  • 0x01: GSSAPI[16]
  • 0x02: Username/password[17]
  • 0x03–0x7F: methods assigned by IANA[18]
  • 0x80–0xFE: methods reserved for private use

The initial greeting from the client is

  • field 1: SOCKS version, 1 byte (0x05 for this version)
  • field 2: number of authentication methods supported, 1 byte
  • field 3: authentication methods, variable length, 1 byte per method supported

The server's choice is communicated:

  • field 1: SOCKS version, 1 byte (0x05 for this version)
  • field 2: chosen authentication method, 1 byte, or 0xFF if no acceptable methods were offered

The subsequent authentication is method-dependent. Username and password authentication (method 0x02) is described in RFC 1929:

For username/password authentication the client's authentication request is

  • field 1: version number, 1 byte (0x01 for current version of username/password authentication)
  • field 2: username length, 1 byte
  • field 3: username, 1–255 bytes
  • field 4: password length, 1 byte
  • field 5: password, 1–255 bytes

Server response for username/password authentication:

  • field 1: version, 1 byte (0x01 for current version of username/password authentication)
  • field 2: status code, 1 byte
    • 0x00: success
    • any other value is a failure, connection must be closed

The client's connection request is

  • field 1: SOCKS version number, 1 byte (0x05 for this version)
  • field 2: command code, 1 byte:
    • 0x01: establish a TCP/IP stream connection
    • 0x02: establish a TCP/IP port binding
    • 0x03: associate a UDP port
  • field 3: reserved, must be 0x00, 1 byte
  • field 4: address type, 1 byte:
    • 0x01: IPv4 address
    • 0x03: Domain name
    • 0x04: IPv6 address
  • field 5: destination address of
    • 4 bytes for IPv4 address
    • 1 byte of name length followed by 1–255 bytes the domain name
    • 16 bytes for IPv6 address
  • field 6: port number in a network byte order, 2 bytes

Server response:

  • field 1: SOCKS protocol version, 1 byte (0x05 for this version)
  • field 2: status, 1 byte:
    • 0x00: request granted
    • 0x01: general failure
    • 0x02: connection not allowed by ruleset
    • 0x03: network unreachable
    • 0x04: host unreachable
    • 0x05: connection refused by destination host
    • 0x06: TTL expired
    • 0x07: command not supported / protocol error
    • 0x08: address type not supported
  • field 3: reserved, must be 0x00, 1 byte
  • field 4: address type, 1 byte:
    • 0x01: IPv4 address
    • 0x03: Domain name
    • 0x04: IPv6 address
  • field 5: server bound address of
    • 4 bytes for IPv4 address
    • 1 byte of name length followed by 1–255 bytes the domain name
    • 16 bytes for IPv6 address
  • field 6: server bound port number in a network byte order, 2 bytes



SOCKS proxy server implementations[edit]

  • Brook A not detectable socks5 proxy, cross-platform, keep it simple, stupid and not detectable..
  • Dante is a circuit-level SOCKS server that can be used to provide convenient and secure network connectivity, requiring only the host Dante runs on to have external network connectivity.[citation needed]
  • Shadowsocks A secure socks5 proxy, designed to pass through the GFW of China.
  • Sun Java System Web Proxy Server is a caching proxy server running on Solaris, Linux and Windows servers that support HTTPS, NSAPI I/O filters, dynamic reconfiguration, SOCKSv5 and reverse proxy.
  • WinGate is a multi-protocol proxy server and SOCKS server for Microsoft Windows which supports SOCKS4, SOCKS4a and SOCKS5 (including UDP-ASSOCIATE and GSSAPI auth). It also supports handing over SOCKS connections to the HTTP proxy, so can cache and scan HTTP over SOCKS.
  • Socksgate5 SocksGate5 is an application-SOCKS firewall with inspection feature on Layer 7 of the OSI model, the Application Layer. Because packets are inspected at 7 OSI Level the application-SOCKS firewall may search for protocol non-compliance and blocking specified content.

Other programs providing SOCKS server interface[edit]

  • OpenSSH allows dynamic creation of tunnels, specified via a subset of the SOCKS protocol, supporting the CONNECT command.
  • PuTTY is a Win32 SSH client that supports local creation of SOCKS (dynamic) tunnels through remote SSH servers.
  • ShimmerCat[19] is a web server that uses SOCKS5 to simulate an internal network, allowing web developers to test their local sites without modifying their /etc/hosts file.
  • Tor is a system intended to enable online anonymity. Tor offers a SOCKS server interface to its clients.


Client software must have native SOCKS support in order to connect through SOCKS. There are programs that allow users to circumvent such limitations:


Translating proxies[edit]

  • Polipo, a fast, lightweight, forwarding and caching proxy server with IPv4 support. Open Source running on GNU/Linux, OpenWrt, Windows, Mac OS X, and FreeBSD. Almost any Web browser can use it.
  • Privoxy
  • Win2Socks, which enables applications to access the network through SOCKS5, HTTPS or Shadowsocks proxy, even though they do not support proxy.


  1. ^ a b c RFC 1928
  2. ^ "Service Name and Transport Protocol Port Number Registry". Internet Assigned Numbers Authority. 19 May 2017. Retrieved 23 May 2017.
  3. ^ Koblas, David; Koblas, Michelle R. SOCKS (PDF). USENIX UNIX Security Symposium III. Retrieved 16 November 2019.
  4. ^ Darmohray, Tina. "Firewalls and fairy tales". ;LOGIN:. Vol 30, no. 1.
  5. ^ Archive index at the Wayback Machine
  6. ^ CNET: Cyberspace from outer space
  7. ^ "2010 Circumvention Tool Usage Report" (PDF). The Berkman Center for Internet & Society at Harvard University. October 2010.
  8. ^ "OpenSSH FAQ". Archived from the original on 2002-02-01.
  9. ^ "Tor FAQ".
  10. ^ "How to chain socks with Tor". Archived from the original on 2 February 2017. Retrieved 23 January 2017.
  11. ^ Rick Howard (2009). Cyber Fraud: Tactics, Techniques and Procedures. CRC Press. p. 45. ISBN 978-1-4200-9128-1.
  12. ^ Krebs, Brian (16 October 2016). "IoT Devices as Proxies for Cybercrime". Retrieved 23 January 2017.
  13. ^ van Hardeveld, Gert Jan; Webber, Craig; O'Hara, Kieron. "Discovering credit card fraud methods in online tutorials". Retrieved 23 August 2017. Cite journal requires |journal= (help)
  14. ^ "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing". Retrieved 2014-08-01.
  15. ^ Ying-Da Lee. "SOCKS 4A: A Simple Extension to SOCKS 4 Protocol". OpenSSH. Retrieved 2013-04-03.
  16. ^ "RFC 1961". Retrieved 2009-06-19.
  17. ^ "RFC 1929". Retrieved 2009-06-19.
  18. ^
  19. ^ "Easy Net with SOCKS5". ShimmerCat. Retrieved 20 April 2016.

External links[edit]