Skip to content

/notes / residential-proxies

Why blocking datacenter IPs isn't enough anymore

Enerik Sina··6 min read

For years the first line of bot defense was simple: block traffic from datacenters. If a request to your login page came from an AWS, Hetzner, or DigitalOcean IP, it almost certainly wasn't a customer shopping from their couch. That heuristic still catches the lazy 10%, but the serious operators left datacenters behind a long time ago. Today they come from the same IP ranges your real customers do — because they are, quite literally, your customers' networks.

What a residential proxy actually is

A residential proxy routes a bot's traffic through a real consumer device — a home router, a phone, a smart TV — so that the exit IP belongs to Comcast or Vodafone instead of a cloud provider. Those devices get enrolled in a few ways: bundled into 'free' VPN and utility apps whose fine print sells the user's bandwidth, baked into SDKs that pay app developers per installed device, or simply compromised. The largest networks advertise tens of millions of rotating residential IPs across virtually every country and carrier.

  • Rotation: a campaign can use a fresh residential IP for every single request, so per-IP rate limits see one hit and move on
  • Geo-targeting: operators pick exit nodes in the same city as your real users to defeat impossible-travel checks
  • Clean reputation: these IPs have legitimate human traffic alongside the abuse, so blocklists can't blanket-ban them without hurting real users
  • ASN camouflage: the traffic rides consumer ISPs, not the hosting ASNs that reputation feeds flag

Why IP reputation breaks

IP reputation assumes an address has a stable, knowable character: this one is a known scanner, that one is a residential customer. Residential proxies collapse that assumption. The same IP that served a credential-stuffing attempt at 02:00 is a real person checking their email at 08:00. Block it and you generate a support ticket; allow it and you let the next attempt through. Reputation degrades from a verdict into a weak prior — still useful as one input, useless as a gate.

What works instead

Once the IP stops being decisive, detection has to move to signals the proxy network can't launder. The exit IP is residential, but the thing behind it is still an automation framework — and that shows up everywhere else:

  • Infrastructure intelligence: services like Spur and GreyNoise specifically classify whether an IP is a known proxy exit, not just whether it's 'residential' — that re-adds signal the basic geo lookup lost
  • TLS/JA4 fingerprinting: the proxy changes the IP, not the client's TLS stack, so a Python or Go handshake behind a Comcast IP is still obviously not a browser
  • Behavioral consistency: rotating IPs mid-session, or a 'returning user' whose device fingerprint never matches their cookie, betrays the rotation
  • Velocity at the account layer: stop counting per IP and start counting per targeted account, per fingerprint, and per ASN cohort — the distributed attack re-concentrates there

The lesson is the same one that runs through all of this work: any single signal an attacker can buy their way around stops being a control. IP was the cheapest signal to defeat, so it fell first. Layer the signals they can't cheaply launder — handshake, behavior, account-level velocity — and weight the disagreements. A residential IP attached to a datacenter-grade TLS stack and a brand-new device is not a customer, no matter what the geo lookup says.

← ALL NOTES[SEE YOUR OWN FINGERPRINT] →