Residential proxies evaded IP reputation checks in 78% of 4 billion sessions

Residential proxies are increasingly slipping past IP reputation systems, and the scale of the problem is forcing defenders to rethink a cornerstone of network security. A recent analysis by GreyNoise examined a massive dataset of four billion malicious sessions targeting edge networks over a three‑month window and found that a substantial share of the traffic could be traced to residential proxies. The bigger story isn’t just a handful of rogue IPs; it’s a dynamic ecosystem of short‑lived, rotating addresses that defies traditional cataloging and makes it hard to separate attackers from ordinary users.

In the study, roughly 39% of the sessions appeared to originate from home networks, which strongly suggests residential proxy usage. Yet, about 78% of these sessions were invisible to the traditional IP reputation feeds that most defenses rely on. That gap reveals a critical flaw: if an attacker can continually switch their source IPs and keep them cycling through numerous providers, reputation scores based on past behavior lose their predictive power almost entirely. The implication is that the origin of traffic—once a reliable signal—no longer serves as a reliable discriminator between bad actors and legitimate users.

One of the most striking patterns is the sheer transience of many residential IPs. Most are used only once or twice before disappearing, only to be replaced by a new set of addresses. Attackers rotate proxies at a pace that keeps them just ahead of the checks designed to flag them. As a result, the majority of residential IPs involved in malicious activity operate on extremely short lifespans. When longer‑lived addresses do exist, they tend to carry a distinct specialization, with SSH activity and Linux TCP stacks appearing more frequently among those enduring proxies.

Diversity compounds the challenge. The residential proxies involved in these operations come from a broad spectrum of providers—683 different ISPs were represented in the data. The activity isn’t narrowly targeted either: most residential IPs engage in network scanning and reconnaissance rather than direct exploitation. In fact, only a tiny fraction—about 0.1%—are involved in actual exploits. A small portion, around 1.3%, targeted enterprise VPN login portals, and there were occasional instances of path traversal and credential‑stuffing attempts as well. This mix makes it harder to draw clear lines between “normal” residential traffic and malicious behavior, since the same pool of addresses can serve both legitimate and nefarious purposes at different times.

Geography and human patterns add another layer of complexity. China, India, and Brazil are identified as major sources, but the traffic from these proxies mirrors human daily rhythms—traffic volumes dip at night as people go to sleep and devices power down. That diurnal behavior can mask malicious pulses, allowing harmful activity to blend into the background noise of everyday usage.

The study also highlights two distinct ecosystems fueling residential proxy networks: IoT botnets and compromised computers. In the latter case, proxies come from software development kits bundled into free VPNs, ad blockers, and similar apps that enroll user devices into bandwidth‑selling schemes. The resilience of these networks was illustrated by the disruption of a major residential proxy network known as IPIDEA. Google and partners managed to cut its pool by roughly 40%, but the aftermath saw an uptick in datacenter traffic—evidence that demand can quickly be absorbed by other players and that a loss of capacity is itself temporary.

What all of this means for defense strategies is clear. Relying on IP reputation alone is no longer sufficient. The defenders’ best path forward is to shift focus from where traffic comes from to how traffic behaves. There are tangible steps that can help surface the legitimate from the illegitimate even when IPs rotate:

• Look for sequential probing patterns that originate from rotating residential addresses. Repeated, orderly scans across a range of targets can signal automated reconnaissance even when the source IPs change.
• Block clearly illegitimate protocols at the edge, such as SMB traffic peered into ISP space, to cut off obvious abuse vectors before they propagate.
• Track device fingerprints that persist beyond IP rotation. When a device presents stable hardware or software characteristics despite changing network identifiers, it can reveal a single actor using multiple proxies.
• Monitor for correlations across sessions that span different IPs but share underlying toolkit signatures, timing, or behavior that doesn’t align with typical residential use.

The evolving landscape of residential proxies is a reminder that attackers are increasingly adept at exploiting the gaps between detection signals. As IP reputation becomes a less reliable standalone signal, defenders must build layered, behavior‑based analytics that connect dots across time, space, and technology stacks. The challenge is substantial, but the path to stronger resilience lies in embracing a broader view of traffic beyond its point of origin and focusing on the patterns that persist as networks and devices rotate and adapt.