Full Report
Researchers warn that residential proxies used to route malicious traffic are a big problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. [...]
Analysis Summary
# Tool/Technique: Residential Proxy Evasion
## Overview
Residential proxies involve the routing of malicious traffic through legitimate home internet connections (ISPs) to bypass security measures. Attackers use these proxies to mask their true origin, leveraging the high reputation of residential IP addresses to evade IP-based blacklists and automated detection systems.
## Technical Details
- **Type**: Technique (Proxy Infrastructure)
- **Platform**: Cross-platform (IoT devices, Windows, Linux, Android)
- **Capabilities**: IP rotation, geo-location spoofing, reputation evasion, traffic tunneling.
- **First Seen**: Ongoing; significantly intensified as an industrial-scale service in recent years.
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- **[T1090.003 - Proxy: Multi-hop Proxy]**
- **[T1562 - Impair Defenses]** (By outmoding IP reputation systems)
- **[TA0001 - Reconnaissance]**
- **[T1595 - Active Scanning]** (Used for 99.9% of observed traffic)
- **[TA0006 - Credential Access]**
- **[T1110 - Brute Force]** (Credential stuffing via residential nodes)
## Functionality
### Core Capabilities
- **High-Velocity Rotation**: IPs are used briefly (once or twice) and then discarded, preventing defender systems from cataloging them.
- **Reputation Masking**: Traffic appears to originate from standard consumer ISPs, which are typically trusted by web application firewalls (WAFs).
- **Stealth Reconnaissance**: Primarily used for wide-scale network scanning and probing to identify targets without triggering "noisy" alerts.
### Advanced Features
- **Human-Mimicry Patterns**: Traffic often follows the sleep/wake cycles of the physical location (dropping by 1/3 at night), making the traffic appear organic.
- **Specialized Persistent Nodes**: A small percentage (1.6%) of IPs persist for 3+ months, often specializing in SSH-focused attacks and utilizing Linux TCP stacks.
- **Hybrid Infrastructure**: Integration of compromised IoT botnets and "consent-based" bandwidth sharing via SDKs in free software (VPNs, ad blockers).
## Indicators of Compromise
- **File Hashes**: *Specific hashes vary by the hosting malware (e.g., SDKs or Botnets) and are not provided in the source text.*
- **File Names**: Bundled within free VPNs and Ad-blocker applications.
- **Network Indicators**:
- `ipidea[.]net` (Associated with disrupted proxy network)
- Traffic originating from ISP-assigned IP ranges attempting to access enterprise protocols.
- **Behavioral Indicators**:
- Sequential probing/scanning across multiple unrelated residential IP addresses.
- Large spikes in datacenter traffic following the takedown/disruption of residential nodes.
- SMB or SSH connection attempts originating from residential ISP space.
## Associated Threat Actors
- **IPIDEA**: A major commercial residential proxy provider (recently disrupted).
- **Botnet Operators**: Various groups leveraging Mirai-like IoT malware to enroll nodes.
- **Cyber-mercenaries**: Groups providing "Residential Proxy as a Service" (RPaaS).
## Detection Methods
- **Behavioral Detection**: Shifting focus from "where" traffic comes from (IP) to "what" the traffic is doing (sequential probing patterns).
- **Protocol Filtering**: Identifying and flagging illegitimate protocols (e.g., SMB) originating from residential ISP ranges.
- **Device Fingerprinting**: Implementing browser or TCP/IP fingerprinting to track a single actor as they rotate through multiple IP addresses.
- **TTL/Stack Analysis**: Analyzing TCP stacks to identify Linux-based botnet nodes operating on residential connections.
## Mitigation Strategies
- **Zero Trust Architecture**: Move away from using IP reputation as a primary trust signal.
- **Geofencing**: While proxies bypass this, limiting traffic from high-risk regions (China, India, Brazil) for sensitive enterprise logins can reduce the attack surface.
- **Aggressive Rate Limiting**: Implement limits based on session characteristics rather than just IP address.
- **Protocol Hardening**: Disallow external-facing administrative ports (SSH, RDP, SMB) from non-corporate IP ranges.
## Related Tools/Techniques
- **IoT Botnets**: Used to harvest residential IPs from compromised routers and cameras.
- **SDK-based Proxy Ware**: Legitimate-looking apps (VPNs/Ad-blockers) that turn user devices into proxy exit nodes.
- **Fast Flux DNS**: A related technique for rapidly changing IP addresses to hide malicious infrastructure.