How to get the real IP address of someone using a proxy?

With the ease of setting up and joining/using proxying services (especially those specializing in providing anonymity, such as Tor), it would be impossible for any company to legitimately claim to be able to "unmask" someone behind a proxy based on having some kind of relationship with ISPs and proxy services, to say nothing of the sheer volume of those and how monumental a task it would be to form those relationships in the first place.

Most likely what they do is utilize a Flash or Java applet, or a bit of JavaScript, which would "go directly to the source to learn the true IP". This is the most common method of "unmasking" proxied users, and according to at least one of the white papers on their site (registration required, but you can use a throwaway e-mail and bogus info; I picked their "online community" one at random), this is exactly what they do:

Software Downloads and Web Technologies: Software downloads such as ActiveX and Web technologies for cookies, flash-stored objects and java script leverage IP addresses, geo-location and other non-unique identifiers to recognize or re-recognize a device every time it creates an online account.

This is combined with a giant database to determine what level of "threat" a user poses, but the ultimate end result is that they are using one or more code objects that execute on the client's browser, which does indeed bypass proxies and can indeed determine the "real" IP behind them.

That this makes it "difficult to hide" is, however, false -- it is pretty darned easy to disable JavaScript, Flash, Java, ActiveX (to say nothing of using a browser that doesn't support that in the first place), or to even install a simple application like Privoxy which can prevent these things from even reaching your browser in the first place. Combined with an onion routing network like Tor and this "hardened" browser running inside of a VM (which, as @Blomkvist commented above, is easy to get and use), it's all but impossible to determine the real IP of a user (to say nothing of the question: "What is someone's "real IP" if they are running a NAT'ed VM on a host inside a private network on an ISP that itself uses NAT for its customers" -- that's 3 different private IPs that "belong" to that user, yet none reveals any information about said user!).


Another trick is to use DNS. If you control the DNS server for your domain then you can see all requests coming in.

By creating a unique subdomain address for each visitor and embedding it somewhere in the HTML, you can check the client's real IP on the DNS server.

This will work so long as the client doesn't masquerade DNS.