78% of 4B Sessions Bypassed IP Checks with Residential Proxies

A recent analysis of billions of malicious sessions reveals a fundamental flaw in many network security models. The widespread use of residential proxies is allowing attackers to effectively bypass traditional IP reputation systems, with a staggering 78% of malicious sessions evading detection. This evasion occurs because the proxies are too transient for defense systems to catalog, creating a landscape where malicious and legitimate traffic are virtually indistinguishable by origin.

Cybersecurity firm GreyNoise reached this conclusion after examining four billion malicious sessions targeting network edges over three months. The data indicates that roughly 39% of these sessions appear to originate from home networks, almost certainly via residential proxies. The core issue is their fleeting nature. Attackers systematically rotate these IPs, with most used only once or twice before disappearing. About 90% of these residential IPs are active in malicious campaigns for less than a month, making it nearly impossible for static reputation feeds to keep pace.

This creates a significant evasion tactic that undermines a basic tenet of cybersecurity. The assumption that an IP address’s history can reliably identify threats is no longer valid when attackers constantly shift through millions of short-lived addresses. Further complicating defense is the sheer diversity of these proxies. The malicious IPs identified were linked to 683 different internet service providers globally, making broad geographic or provider-based blocking impractical.

The primary activity from these proxies is low-and-slow network scanning and reconnaissance, with only a tiny fraction, about 0.1%, involved in actual exploitation attempts. A small percentage targeted enterprise VPN logins or were used in credential stuffing. Their stealth is enhanced because the traffic patterns often mimic legitimate human behavior. Researchers noted that activity from proxies in countries like China, India, and Brazil follows human sleep cycles, dropping significantly at night when devices are turned off.

These proxy networks are fueled by two main sources: IoT botnets and infected personal computers. In the latter case, the proxies often originate from software development kits embedded within free VPN services, ad blockers, and similar applications that covertly enroll user devices into bandwidth-selling schemes without their full knowledge.

The resilience of this ecosystem was demonstrated following a recent disruption of IPIDEA, one of the world’s largest residential proxy networks. While the action reduced its available pool by about 40%, the overall malicious ecosystem adapted quickly. Data center proxy traffic increased to absorb the demand, showing that lost capacity can be rapidly replaced, highlighting the challenge of sustained enforcement.

This new reality necessitates a strategic shift in defensive posture. Relying on IP reputation as a primary security signal is becoming increasingly ineffective. GreyNoise researchers recommend moving toward behavioral detection methods. These include identifying patterns of sequential probing from rotating residential IPs, blocking clearly illegitimate protocols like SMB when they originate from residential ISP spaces, and tracking persistent device fingerprints that remain consistent even as the outward IP address changes.