It's not hard to distinguish a VPN connection by behaviour pattern really. Some simple features to detect:
Both small packets and maxing out the window size in one stream. Lack of DNS queries from the host. Single connection dominating the bandwidth.
There's a reason for all of those of course, but put them together on a residential connection: almost certainly a VPN user.
And these are all really simple heuristics. In practice, we know you can identify which Netflix video are you watching just by the packet sizes/timing.
There was a post recently about how someone was able to set up his own vpn which bypassed it. Something about the server padding out its response with garbage data?
Both small packets and maxing out the window size in one stream. Lack of DNS queries from the host. Single connection dominating the bandwidth.
There's a reason for all of those of course, but put them together on a residential connection: almost certainly a VPN user.
And these are all really simple heuristics. In practice, we know you can identify which Netflix video are you watching just by the packet sizes/timing.