Proxy Networks

Sep 6, 2023

Security Boulevard Community Chats Webinars Library What CISOs Need to Know About Residential Proxy Networks If residential proxy networks are not already on the CISO’s radar, 2023 will be the year they will need to focus on them significantly. What is a residential proxy network, and why should every security professional worry about it? These networks essentially “rent” IP addresses from everyday users who surf the web from their home WiFi network (although I’m not sure those users realize what they’re giving up in the process). In these scenarios, the network invites a home internet user to install an app and get paid to share their bandwidth with other customers of that network. Think of it as money, a seemingly easy way to get some extra cash. What’s really happening? The network grabs that home user’s legitimate residential IP address and lends it to another paying customer. That customer may have an IP address that’s part of a hosting block and wants to appear as a residential user within a specific region for whatever reason. The residential proxy network allows customers to pose as residential IP addresses at scale. As one residential proxy IP service explains on its website, “The website/service receiving HTTP requests sees requests coming from real residential IPs and allows access to content that would otherwise be blocked if it had been requested from traditional data center VPNs or proxy networks.” This is actually a pretty big deal on a lot of levels. Let’s look at two parts of any organization that this practice can impact. Marketers Pay for Fake Traffic Let’s say your marketing team has paid an SEO company to boost your site’s rankings. That SEO company can easily purchase traffic from any one of these networks—one I spoke with claims to have access to 100 million residential proxy IPs—who then land on your site and elevate your search rankings. Because this traffic appears to be residential IP addresses from multiple locations, Google deems it legitimate. While technically not illegal, most security professionals would balk at such a tactic. Or, your marketing team can purchase ad space on a website that receives substantial traffic via a residential proxy network, unbeknownst to the programmatic ad exchange that sells its inventory or the DSP your team uses to purchase it. On the face of it, your marketing team pays for impressions from real users in the desired location when, in fact, they’re paying for fake traffic. This is a favored tactic of “farms”—websites set up just to earn revenue from cost-per-click campaigns. As long as the website pays less for traffic than it gets from your marketing team, it’s a profitable model. Residential Proxy IP Networks’ Role in DDoS Attacks Nefarious actors can leverage residential proxy IP networks when deploying application-layer DDoS attacks. In Cloudflare’s 2Q 2022 Threat Report , the company explained its approach to detecting the origin of such attacks, writing: “To understand the origin of the HTTP attacks, we look at the geolocation of the source IP address belonging to the client that generated the attack HTTP requests. Unlike network-layer attacks, source IP addresses cannot be spoofed in HTTP attacks.” But that’s not really true if the attacker is leveraging a residential proxy IP address. Such attackers can appear to be in virtually any country of their choosing. (Those residential users who have given up their residential IP address for a small amount of money may be dismayed to learn that they were part of a DDoS attack, especially if they find they can no longer surf the web freely because their IP address has been banned by too many websites.) Web application firewalls (WAFs) like Cloudflare can’t prevent such attacks unless they can identify when a residential IP is a proxy. To do that, all CDNs need considerable context around that IP address, such as: ● Is this traffic proxied or VPN? ● How many devices are connected to that IP address? If you see hundreds of devices connected to an IP address, it’s probably not a house. ● Stability. Has this IP address been in the same location for 20 weeks? ● Is the IP address part of a known residential proxy network that’s being used for other things? All of this context provides vital clues that can protect your marketer’s budgets as well as your corporate networks. Many security teams are reluctant to block residential proxy addresses because of the potential consequences, especially if the IP address is a carrier-grade network address translation (CGNAT) address. CGNAT came into existence in 2009 with the help of the Internet Engineering Task Force ( IETF ) to allow ISPs to preserve their own public IPv4 addresses, process subscriber traffic through the ISP’s private IPv4 network, as well as support business subscribers that also have their own private IPv4 networks with multiple devices across multiple locations. Blocking a CGNAT IP address could mean thousands of users are suddenly blocked. All of this speaks to the growing sophistication and complexity of the cybersecurity space. Until these residential proxy networks gained traction, most WAFs or CDNs could look at an incoming IP address, verify that it is a residential, non-VPN IP address located in a region that makes sense, and assume that it’s legitimate traffic. That’s not the case anymore; security teams need a lot more context around IP addresses to understand their incoming traffic.