Researchers are warning that residential proxies used to route malicious traffic are a significant problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. This is primarily because residential proxies are too short-lived, uninvolved, or systematically rotated, preventing defense systems from effectively cataloging them in time. **GreyNoise**, a cybersecurity intelligence platform, reached this conclusion after examining a massive dataset of 4 billion malicious sessions targeting the edge over a three-month period. ### Key Findings * Roughly 39% of these sessions appear to originate from home networks, strongly suggesting they are part of residential proxy networks. * A significant 78% of these sessions are invisible to reputation feeds. “The data reveals a pattern that challenges a core assumption of network defense: that you can tell attackers from legitimate users by where the traffic comes from,” explains **GreyNoise**. According to the company, most residential IPs are used only once or twice before disappearing, with attackers rotating them rapidly enough to avoid being flagged by reputation systems. * Approximately 89.7% of residential IPs are active in malicious operations for less than a month. * Only 8.7% remain active for two months. * A mere 1.6% persist for three months. Those IPs that remain active for extended periods tend to specialize, focusing on SSH and utilizing Linux TCP stacks, according to the researchers.  Diversity further complicates detection and blocking efforts. **GreyNoise’s** data indicates that the residential IPs participating in attacks belong to 683 different internet service providers. Another factor contributing to their stealth is their primary use for network scanning and reconnaissance. Only 0.1% are involved in actual exploits, the researchers noted. A small percentage (1.3%) targeted enterprise VPN login pages, while limited cases also involved residential IPs in path traversal and credential stuffing attempts. Regarding the source of these residential proxies, **GreyNoise** identifies China, India, and Brazil as major contributors. Traffic from these IPs follows human sleep patterns, decreasing by approximately one-third at night when most users power off their devices.  The researchers report that residential proxy traffic is generated by two distinct, non-overlapping ecosystems: IoT botnets and infected computers. In the latter case, the proxies originate from SDKs embedded in free VPNs, ad blockers, and similar apps, which enroll user devices in bandwidth-selling schemes. **GreyNoise** also highlighted the resilience of these networks, citing the example of **IPIDEA**, one of the world’s largest residential proxy networks. **Google Threat Intelligence Group (GTIG)** and its partners recently disrupted **IPIDEA**. The disruption reduced its proxy pool by roughly 40%, but datacenter traffic increased in the aftermath, indicating that demand can be absorbed by other providers and that lost capacity is rapidly replaced.  ### Mitigation Strategies **GreyNoise** emphasizes that residential proxy evasion tactics necessitate moving away from IP reputation as the primary signal and focusing on behavioral analysis instead. The researchers recommend: * Detecting sequential probing from rotating residential IPs. * Blocking clearly illegitimate protocols like SMB from ISP space. * Tracking device fingerprints that persist despite IP rotation.