SOCKS
Encyclopedia
SOCKS is an Internet
protocol that routes network packets between a client
and server
through a proxy server
. SOCKS5 additionally provides authentication
so only authorized users may access a server. Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.
SOCKS performs at Layer 5 of the OSI model
—the session layer
(an intermediate layer between the presentation layer
and the transport layer
).
in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium and SOCKS became publicly available. The protocol was extended to version 4 by Ying-Da Lee of NEC
.
The SOCKS reference architecture and client are owned by Permeo Technologies a spin-off from NEC
. (Blue Coat Systems
bought out Permeo Technologies).
The SOCKS5 protocol was originally a security protocol that made firewalls
and other security products easier to administer. It was approved by the IETF
in 1996. The protocol was developed in collaboration with Aventail Corporation, which markets the technology outside of Asia.
The Tor
onion proxy software presents a SOCKS interface to its clients.
Another use of SOCKS is as a circumvention tool, allowing to bypass Internet filtering to access content otherwise blocked by
governments, workplaces and schools.
In the 1990s, SOCKS was widely deployed in corporate environments as a circuit-level gateway
, later largely replaced by packet filter and stateful
firewalls.
or UDP
socket connection, whereas an HTTP proxy takes an HTTP request and forwards it to an HTTP server. Though HTTP proxying has a different use-case in mind, the CONNECT method allows one to forward TCP connections, there is however no mechanism for UDP proxying. The following examples show the difference between the two methods:
connection, and the HTTP proxy protocol can do the same with the CONNECT method. In both cases a TCP connection is created from the client to the proxy server, and the IP address and port to which the client requests a connection is communicated over the connection. In both cases the proxy server can grant, reject, redirect and alter connection requests as it likes. HTTP proxies are traditionally more HTTP protocol aware and do more high level filtering (even though that usually only applies to GET and POST methods, not CONNECT). SOCKS proxies can also forward UDP traffic and work in reverse: HTTP proxies cannot.
SOCKS Client to SOCKS Server:
SOCKS Server to SOCKS client:
This is a SOCKS4 request to connect Fred to 66.102.7.99:80, the server replies with an "OK".
From this point on any data sent from the SOCKS client to the SOCKS server will be relayed to 66.102.7.99 and vice versa.
The command field can be 0x01 for "connect" or 0x02 for "bind". "bind" allows incoming connections for protocols like active FTP
.
The client should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value. (This corresponds to IP address 0.0.0.x, with x nonzero, an inadmissible destination address and thus should never occur if the client can resolve the domain name.) Following the NULL byte terminating USERID, the client must send the destination domain name and terminate it with another NULL byte. This is used for both "connect" and "bind" requests.
Client to SOCKS server:
Server to SOCKS client:
A server using protocol SOCKS4A must check the DSTIP in the request packet. If it represents address 0.0.0.x with nonzero x, the server must read in the domain name that the client sends in the packet. The server should resolve the domain name
and make connection to the destination host if it can.
and UDP
that can be used for DNS lookups. The initial handshake now consists of the following:
The authentication methods supported are numbered as follows:
The initial greeting from the client is
The server's choice is communicated:
The subsequent authentication is method-dependent. Username and password authentication (method 0x02) is described in RFC 1929:
For username/password authentication the client's authentication request is
Server response for username/password authentication:
The client's connection request is
Server response:
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
protocol that routes network packets between a client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
and server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
through a proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
. SOCKS5 additionally provides authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
so only authorized users may access a server. Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.
SOCKS performs at Layer 5 of the OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
—the session layer
Session layer
The session layer is layer 5 of the seven-layer OSI model of computer networking.The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. Communication sessions consist of requests and responses...
(an intermediate layer between the presentation layer
Presentation layer
The presentation layer is layer 6 of the seven-layer OSI model of computer networking and serves as the data translator for the network. It is sometimes called the syntax layer.-Description:...
and the transport layer
Transport layer
In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...
).
History
The protocol was originally developed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon GraphicsSilicon Graphics
Silicon Graphics, Inc. was a manufacturer of high-performance computing solutions, including computer hardware and software, founded in 1981 by Jim Clark...
in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium and SOCKS became publicly available. The protocol was extended to version 4 by Ying-Da Lee of NEC
NEC
, a Japanese multinational IT company, has its headquarters in Minato, Tokyo, Japan. NEC, part of the Sumitomo Group, provides information technology and network solutions to business enterprises, communications services providers and government....
.
The SOCKS reference architecture and client are owned by Permeo Technologies a spin-off from NEC
NEC
, a Japanese multinational IT company, has its headquarters in Minato, Tokyo, Japan. NEC, part of the Sumitomo Group, provides information technology and network solutions to business enterprises, communications services providers and government....
. (Blue Coat Systems
Blue Coat Systems
Blue Coat Systems Inc. is a network security and network management company based in Sunnyvale, California, United States.It identifies itself as an application delivery network specialist...
bought out Permeo Technologies).
The SOCKS5 protocol was originally a security protocol that made firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
and other security products easier to administer. It was approved by the IETF
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
in 1996. The protocol was developed in collaboration with Aventail Corporation, which markets the technology outside of Asia.
Usage
Some SSH clients support dynamic port forwarding that allows the user to create a local SOCKS proxy. This can free the user from the limitations of connecting only to a predefined remote port and server.The Tor
Tor (anonymity network)
Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis...
onion proxy software presents a SOCKS interface to its clients.
Another use of SOCKS is as a circumvention tool, allowing to bypass Internet filtering to access content otherwise blocked by
governments, workplaces and schools.
In the 1990s, SOCKS was widely deployed in corporate environments as a circuit-level gateway
Circuit-Level Gateway
A circuit-level gateway is a type of firewall.Circuit level gateways work at the session layer of the OSI model, or as a "shim-layer" between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is...
, later largely replaced by packet filter and stateful
Stateful firewall
In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...
firewalls.
Comparison
SOCKS operates at a lower level than HTTP proxying: SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make and may be used for any form of TCPTransmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
or UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
socket connection, whereas an HTTP proxy takes an HTTP request and forwards it to an HTTP server. Though HTTP proxying has a different use-case in mind, the CONNECT method allows one to forward TCP connections, there is however no mechanism for UDP proxying. The following examples show the difference between the two methods:
SOCKS
Bill wishes to communicate with Jane over the internet, but a firewall exists on his network between them. Bill is not authorized to communicate through it himself. He connects to the SOCKS proxy on his network and sends it information about the connection he wishes to make to Jane. The SOCKS proxy opens a connection through the firewall and facilitates the communication between Bill and Jane. For more information on the technical specifics of the SOCKS protocol, see the sections below.HTTP
Bill wishes to download a web page from Jane, who runs a web server. Bill cannot directly connect to Jane's server, as a firewall has been put in place on his network. In order to communicate with the server, Bill connects to his network's HTTP proxy. His web browser communicates with the proxy in exactly the same way it would with the target server—it sends a standard HTTP request header. The HTTP proxy reads the request and looks for the Host header. It then connects to the server specified in the header and transmits any data the server replies with back to Bill.Interaction with firewalls
Many company and university network administrators set firewall rules that prevent users from connecting to any internet service apart from webpages. Both the SOCKS and HTTP proxy protocols can be used to pierce these firewalls. SOCKS is usually used to create a raw TCPTransmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection, and the HTTP proxy protocol can do the same with the CONNECT method. In both cases a TCP connection is created from the client to the proxy server, and the IP address and port to which the client requests a connection is communicated over the connection. In both cases the proxy server can grant, reject, redirect and alter connection requests as it likes. HTTP proxies are traditionally more HTTP protocol aware and do more high level filtering (even though that usually only applies to GET and POST methods, not CONNECT). SOCKS proxies can also forward UDP traffic and work in reverse: HTTP proxies cannot.
SOCKS4
A typical SOCKS4 connection request looks like this:SOCKS Client to SOCKS Server:
- field 1: SOCKS version number, 1 byte, must be 0x04 for this version
- field 2: command code, 1 byte:
- 0x01 = establish a TCP/IP stream connection
- 0x02 = establish a TCP/IP port binding
- field 3: network byte order port number, 2 bytes
- field 4: network byte order IP address, 4 bytes
- field 5: the user ID string, variable length, terminated with a null (0x00)
SOCKS Server to SOCKS client:
- field 1: null byte
- field 2: status, 1 byte:
- 0x5a = request granted
- 0x5b = request rejected or failed
- 0x5c = request failed because client is not running identd (or not reachable from the server)
- 0x5d = request failed because client's identd could not confirm the user ID string in the request
- field 3: 2 arbitrary bytes, that should be ignored
- field 4: 4 arbitrary bytes, that should be ignored
This is a SOCKS4 request to connect Fred to 66.102.7.99:80, the server replies with an "OK".
- Client: 0x04 | 0x01 | 0x00 0x50 | 0x42 0x66 0x07 0x63 | 0x46 0x72 0x65 0x64 0x00
- The last field is 'Fred' in ASCIIASCIIThe American Standard Code for Information Interchange is a character-encoding scheme based on the ordering of the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that use text...
, followed by a null byte.
- The last field is 'Fred' in ASCII
- Server: 0x00 | 0x5a | 0xXX 0xXX | 0xXX 0xXX 0xXX 0xXX
- 0xXX can be any byte value. The SOCKS4 protocol specifies the values of these bytes should be ignored.
From this point on any data sent from the SOCKS client to the SOCKS server will be relayed to 66.102.7.99 and vice versa.
The command field can be 0x01 for "connect" or 0x02 for "bind". "bind" allows incoming connections for protocols like active FTP
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
.
SOCKS4a
SOCKS4a is a simple extension to SOCKS4 protocol that allows a client that cannot resolve the destination host's domain name to specify it.The client should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value. (This corresponds to IP address 0.0.0.x, with x nonzero, an inadmissible destination address and thus should never occur if the client can resolve the domain name.) Following the NULL byte terminating USERID, the client must send the destination domain name and terminate it with another NULL byte. This is used for both "connect" and "bind" requests.
Client to SOCKS server:
- field 1: SOCKS version number, 1 byte, must be 0x04 for this version
- field 2: command code, 1 byte:
- 0x01 = establish a TCP/IP stream connection
- 0x02 = establish a TCP/IP port binding
- field 3: network byte order port number, 2 bytes
- field 4: deliberate invalid IP address, 4 bytes, first three must be 0x00 and the last one must not be 0x00
- field 5: the user ID string, variable length, terminated with a null (0x00)
- field 6: the domain name of the host we want to contact, variable length, terminated with a null (0x00)
Server to SOCKS client:
- field 1: null byte
- field 2: status, 1 byte:
- 0x5a = request granted
- 0x5b = request rejected or failed
- 0x5c = request failed because client is not running identd (or not reachable from the server)
- 0x5d = request failed because client's identd could not confirm the user ID string in the request
- field 3: network byte order port number, 2 bytes
- field 4: network byte order IP address, 4 bytes
A server using protocol SOCKS4A must check the DSTIP in the request packet. If it represents address 0.0.0.x with nonzero x, the server must read in the domain name that the client sends in the packet. The server should resolve the domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
and make connection to the destination host if it can.
SOCKS5
The SOCKS5 protocol is an extension of the SOCKS4 protocol that is defined in RFC 1928. It offers more choices of authentication, adds support for IPv6IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
and UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
that can be used for DNS lookups. The initial handshake now consists of the following:
- Client connects and sends a greeting which includes a list of authentication methods supported.
- Server chooses one (or sends a failure response if none of the offered methods are acceptable).
- Several messages may now pass between the client and the server depending on the authentication method chosen.
- Client sends a connection request similar to SOCKS4.
- Server responds similar to SOCKS4.
The authentication methods supported are numbered as follows:
- 0x00: No authentication
- 0x01: GSSAPI
- 0x02: Username/Password
- 0x03-0x7F: methods assigned by IANAInternet Assigned Numbers AuthorityThe Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
- 0x80-0xFE: methods reserved for private use
The initial greeting from the client is
- field 1: SOCKS version number (must be 0x05 for this version)
- field 2: number of authentication methods supported, 1 byte
- field 3: authentication methods, variable length, 1 byte per method supported
The server's choice is communicated:
- field 1: SOCKS version, 1 byte (0x05 for this version)
- field 2: chosen authentication method, 1 byte, or 0xFF if no acceptable methods were offered
The subsequent authentication is method-dependent. Username and password authentication (method 0x02) is described in RFC 1929:
For username/password authentication the client's authentication request is
- field 1: version number, 1 byte (must be 0x01)
- field 2: username length, 1 byte
- field 3: username
- field 4: password length, 1 byte
- field 5: password
Server response for username/password authentication:
- field 1: version, 1 byte
- field 2: status code, 1 byte.
- 0x00 = success
- any other value = failure, connection must be closed
The client's connection request is
- field 1: SOCKS version number, 1 byte (must be 0x05 for this version)
- field 2: command code, 1 byte:
- 0x01 = establish a TCP/IP stream connection
- 0x02 = establish a TCP/IP port binding
- 0x03 = associate a UDP port
- field 3: reserved, must be 0x00
- field 4: address type, 1 byte:
- 0x01 = IPv4 address
- 0x03 = Domain name
- 0x04 = IPv6 address
- field 5: destination address of
- 4 bytes for IPv4 address
- 1 byte of name length followed by the name for Domain name
- 16 bytes for IPv6 address
- field 6: port number in a network byte order, 2 bytes
Server response:
- field 1: SOCKS protocol version, 1 byte (0x05 for this version)
- field 2: status, 1 byte:
- 0x00 = request granted
- 0x01 = general failure
- 0x02 = connection not allowed by ruleset
- 0x03 = network unreachable
- 0x04 = host unreachable
- 0x05 = connection refused by destination host
- 0x06 = TTLTime to liveTime to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
expired - 0x07 = command not supported / protocol error
- 0x08 = address type not supported
- field 3: reserved, must be 0x00
- field 4: address type, 1 byte:
- 0x01 = IPv4 address
- 0x03 = Domain name
- 0x04 = IPv6 address
- field 5: destination address of
- 4 bytes for IPv4 address
- 1 byte of name length followed by the name for Domain name
- 16 bytes for IPv6 address
- field 6: network byte order port number, 2 bytes
SOCKS Servers
- Dante is a circuit-level SOCKS server that can be used to provide convenient and secure network connectivity, requiring only the host Dante runs on to have external network connectivity.
- OpenSSHOpenSSHOpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
allows dynamic creation of tunnels, specified via a subset of the SOCKS protocol, supporting the CONNECT command. - PuTTYPuTTYPuTTY is a free and open source terminal emulator application which can act as a client for the SSH, Telnet, rlogin, and raw TCP computing protocols and as a serial console client...
is a Win32 SSH client that supports local creation of SOCKS (dynamic) tunnels through remote SSH servers. - sSocks sSocks is socks5 server, implements RFC 1928 (SOCKS V5) and RFC 1929 (Authentication for SOCKS V5) Open Source running on Linux.
- Sun Java System Web Proxy ServerSun Java System Web Proxy ServerThe Sun Java System Web Proxy Server is a proxy server software developed by Sun Microsystems.-Overview:The Sun Java System Web Proxy server, or SJSWPS , is a popular HTTP/1.1 Proxy server software developed by Sun Microsystems...
is a caching proxy server running on Solaris, Linux and Windows servers that supports HTTPS, NSAPI I/O filters, dynamic reconfiguration, SOCKSv5 and reverse proxyReverse proxyIn computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself...
. - WinGateWingate-Places:In New Zealand:* Wingate, New Zealand, A suburb of Lower HuttIn the United Kingdom:* Wingate, County Durham* Old Wingate, County Durham* Wingates, Bolton, Greater ManchesterIn the United States:* Wingate, Indiana...
is a multi-protocol proxy server and SOCKS server for Microsoft Windows. - SS5 SS5 is a socks server that implements the SOCKS v4 and v5 protocol.
SOCKS Clients
Client software must have native SOCKS support in order to connect through SOCKS. There are programs that allow to circumvent this limitation:Translating proxies
- PolipoPolipoPolipo is a fast and lightweight, forwarding and caching proxy server and computer software daemon.By virtue of being a compliant HTTP 1.1 proxy, Polipo has all the uses of traditional Web proxies. It features HTTP 1.1, IPv4 & IPv6, traffic filtering and privacy-enhancement. Polipo supports HTTP...
, a fast, lightweight, forwarding and caching proxy server with IPv6IPv6Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
support. Speaking the SOCKS4 and SOCKS5 protocols, it is recommended to be used together with the TORTor (anonymity network)Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis...
anonymising network. Polipo is a web proxy that does HTTP 1.1 pipelining well, so it can enhance TOR's communication latency or lag. Open Source running on GNUGNUGNU is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a "complete Unix-compatible software system"...
/LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, OpenWrtOpenWrtOpenWrt is a Linux distribution primarily targeted at routing on embedded devices. It comprises a set of about 2000 software packages, installed and uninstalled via the opkg package management system. OpenWrt can be configured using the command-line interface of BusyBox ash, or the web interface...
, WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, and FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
. Almost any Web browser can use it. - PrivoxyPrivoxyPrivoxy is a non-caching web proxy with filtering capabilities for enhancing privacy, modifying web page data and HTTP headers before the page is rendered by the browser. Privoxy is a "privacy enhancing proxy", filtering Web pages and removing advertisements...
- socat
External links
- Draft-ietf-aft-socks-chap, Challenge-Handshake Authentication Protocol for SOCKS V5
- RFC 3089: A SOCKS-based IPv6/IPv4 Gateway Mechanism
- RFC 1961: GSS-API Authentication Method for SOCKS Version 5
- RFC 1929: Username/Password Authentication for SOCKS V5
- RFC 1928: SOCKS Protocol Version 5
- SOCKS: A protocol for TCP proxy across firewalls, SOCKS Protocol Version 4 (NECNEC, a Japanese multinational IT company, has its headquarters in Minato, Tokyo, Japan. NEC, part of the Sumitomo Group, provides information technology and network solutions to business enterprises, communications services providers and government....
)