Residential Proxies the threat that evades IP lists and forces to detect by behavior

The battle between defenders and Internet attackers has long since been a matter of closing ports or keeping patches up to date. Now, a source of problems that is going unnoticed for many organizations are the residential proxies: networks of IP addresses that appear to belong to homes and which criminals use to camouflage malicious activity. A recent report by GreyNoise, based on the analysis of billions of sessions, once again focuses on how hard it is for IP's reputation systems to distinguish between a legitimate user and an attacker who goes through "a domestic connection." More information in GreyNoise's own report: Invisible Army: Residential Proxy Abuse.

The study numbers are eloquent: GreyNoise examined a huge volume of sessions directed to the edge of the network over three months and found that about 39% of this activity came from ranges that appear to be home connections, i.e. residential proxies. But here comes the disturbing thing: most of these PIs do not appear in the traditional reputation feeds. In particular, the study indicates that a high percentage - of the order of 78% in sampling - remains "invisible" for the lists that many security teams use to block suspicious traffic.

Why is this happening? The explanation is practical and, unfortunately, effective for those who attack: residential PIs used in these operations are often very ephemeral, rarely used and quickly replaced by others. This structured rotation prevents systems that depend on accumulated abuse histories from cataloguing them as malicious before they have already been used and discarded. GreyNoise found that the vast majority of these residential PIs associated with malicious activity operate less than a month; only a minimum fraction remains in action for several months.

In addition to the brevity of these connections, geographical and supplier diversity further complicates the problem. The observed PIs came from hundreds of different Internet access providers - which makes it difficult to block by NSA without damaging legitimate users - and there were concentrations in countries such as China, India and Brazil. A curious detail that supports the idea that many of these PIs are really personal or domestic devices is that their activity has a rhythm marked by human sleep patterns: the volume is significantly low during the local night, when people turn off their equipment.

Another factor that makes them stealth is the main purpose of their use. The data show that most of the traffic from these directions is aimed at network recognition and scanning, not directly at the execution of exploits. Only a small percentage ends in effective exploitation attempts; however, this preliminary mapping work is what allows attackers to identify valid targets and design subsequent attacks. Among the activities observed were from massive scans to attempts to access business VPN log-in pages and specific cases of filler of credentials or traversal routes.

The architecture that generates this traffic has two main sources, according to the researchers: on the one hand, botnets focused on IoT devices, which reward resources from a multitude of committed domestic equipment; on the other, equipment of users infected or enlisted by SDKs in free applications - such as VPN customers, ad blockers or other utilities - that, in exchange for services or monetization, convert these devices into nodes that sell bandwidth and serve third-party traffic.

A practical example of ecosystem resilience is what happened to one of the largest residential proxies networks (referred to in the report). The coordinated intervention of threat intelligence teams managed to temporarily reduce their address pool by a significant percentage, but the space left was quickly filled with traffic from data centres or other sources: demand is absorbed and capacity is quickly restored. This illustrates that solutions focused on taking down an isolated piece rarely eliminate the threat in a definitive way.

In the face of this scenario, GreyNoise and industry experts propose rethinking the dependence on IP's reputation lists as the main pillar of the defence. Instead, to focus detection on behavior patterns that survive the rotation of addresses: for example, identify sequences of surveys that follow the same pattern even if they come from different IPs, block protocols clearly inappropriate for ISP spaces (such as exposing SMB to the Internet), and collect device or connection prints that do not change when the IP does.

For security teams and IT officials this involves several practical consequences. It is not a question of completely eliminating the use of reputational lists - they are still useful - but of combining them with telemetry, time correlation and heuristic behavior analysis to detect the same actor despite the rotation of PIs. It is also essential to protect critical input points, apply strong authentication and monitor failed access or unusual survey patterns. In simple words: you have to look less at the label (the IP) and more at the behavior.

The technical and operational challenge is relevant: to monitor and correlate large volumes of events, to extract robust signals without generating false positive and, at the same time, not to interrupt the experience of legitimate users. Tools such as web application firewalls with behavior-based detection capabilities, intrusion prevention systems that integrate network telemetry and advanced fingerprinting mechanisms gain prominence in this context. For those who want to better understand the logic of the problem and how bots and automated traffic are classified, it is useful to read divulgative analyses like Cloudflare about what a bot is and why not all behave the same: What is a bot? (Cloudflare).

If anything makes the GreyNoise report clear and the coverage it is receiving is that the economy and the technique behind residential proxies evolve faster than many traditional defenses. It is no longer enough to block suspicious addresses: a more holistic vision is needed, where the observation of behavior, cooperation between intelligence providers and the implementation of strong access controls make a difference. For those who want to consult the original data and technical recommendations, GreyNoise's full report is available here: Invisible Army: Residential Proxy Abuse and the specialized press has collected the findings, for example in Bleeping Computer.