When Attack Traffic Looks Like Your Customers
IP reputation has been a staple of perimeter defence for years. Block known-bad IP ranges, flag suspicious sources, and let clean traffic through. It is a reasonable approach when attackers operate from data centre ranges or known bulletproof hosting infrastructure. The problem is that attackers have largely stopped doing that. Residential proxy networks route malicious traffic through ordinary consumer broadband connections, mobile data plans, and small-business ISP accounts. The IP address making the request belongs to a real household in Manchester or a mobile subscriber in Auckland. It carries no threat intelligence flags. It looks, at the network level, indistinguishable from a customer logging in or an employee working remotely. According to research published by GreyNoise in April 2025, this is not an edge case. Their sensors observed 4 billion malicious sessions over a 90-day period, with a substantial portion of that traffic passing through residential and mobile IP ranges. The scale confirms what security practitioners have suspected for some time: IP reputation, on its own, is no longer a reliable control.
How Residential Proxy Networks Actually Work
A residential proxy network is a pool of real IP addresses belonging to real devices. Those devices, typically consumer routers, mobile phones, or IoT hardware, have been recruited into the network, often without the owner's knowledge. The device owner may have installed a free VPN, a dubious browser extension, or an app that quietly sold their bandwidth in exchange for the service. An attacker pays for access to this pool and routes their traffic through it. Each request appears to originate from a different legitimate address. From the perspective of the target's web application firewall or threat intelligence feed, the traffic originates from a residential ISP customer with no history of malicious activity. This creates two separate problems for defenders: First, blocking by IP becomes counterproductive. The same address ranges used by attackers are also used by genuine employees accessing corporate systems from home, customers browsing a retail platform, and partners connecting to shared portals. Block too aggressively and you lock out legitimate users. Second, rate limiting by IP loses its effect. When an attacker can rotate through thousands of residential addresses, a per-IP request threshold does nothing to slow credential stuffing, scraping, or vulnerability scanning. The attacker simply spreads the load.
Why This Matters Beyond the Firewall
The consequences extend well beyond network-layer controls. Consider what this technique enables in practice. Credential stuffing becomes significantly harder to detect. An attacker testing a list of breached username and password combinations can distribute attempts across thousands of residential IPs, each making only a handful of requests. Standard account lockout policies and login anomaly detection struggle to correlate the activity into a coherent picture. Web scraping and competitive intelligence gathering scale up. Organisations that rely on IP-based rate limiting to protect proprietary data or pricing information find that protection ineffective against distributed residential proxy traffic. Business email compromise reconnaissance gets quieter. Attackers mapping an organisation's external footprint, identifying mail servers, probing authentication endpoints, or harvesting employee information through exposed web applications can do so from addresses that attract no suspicion. Vulnerability scanning, which defenders often detect by watching for probes from known scanner ranges or data centre blocks, becomes harder to spot when conducted through residential addresses at low volume over extended periods. In each of these cases, the attack succeeds not because the attacker broke through a control, but because the control never recognised the activity as a threat.
What Effective Detection Actually Requires
If IP reputation cannot carry the weight it once did, what should defenders focus on instead? The answer is behaviour, not address. Effective detection at this layer looks at what a connection is doing, not where it originates. Several signals remain meaningful even when the source IP is clean: Request patterns: Automated traffic tends to follow consistent timing intervals, request identical resource sequences, and avoid the irregular browsing patterns of genuine users. These patterns persist regardless of which residential IP is serving as the current exit node. TLS fingerprinting: The way a client negotiates an encrypted connection reveals characteristics of the underlying software stack. Automated tools leave distinct fingerprints that differ from standard browser behaviour, even when the IP address belongs to a household in Birmingham. Behavioural context: A residential IP that has never accessed a given platform suddenly attempting a login, then abandoning it after one failure, then reappearing from a different address thirty seconds later, produces a pattern that does not match normal user behaviour even if no individual address is flagged. Session depth and interaction quality: Genuine users navigate, pause, read, and make mistakes. Automated sessions tend to be purposeful, fast, and consistent in ways that human browsing is not. None of these signals is infallible on its own. Together, they provide a detection surface that is substantially more resilient to the residential proxy technique than any IP reputation list.
The Attack Surface You Cannot See from the Inside
There is a connected problem that residential proxy abuse makes worse: organisations often do not have an accurate picture of what their external attack surface looks like to an attacker conducting reconnaissance through residential IPs. Traditional penetration testing snapshots a moment in time. By the time findings are remediated, new assets may have been spun up, subdomains may have been forgotten, and authentication endpoints may have drifted from their intended configuration. An attacker conducting continuous low-volume reconnaissance from residential addresses can observe these changes as they happen. Continuous attack surface management tools like Hadrian address this directly. Hadrian runs persistent, automated reconnaissance against an organisation's external footprint, identifying exposed assets, misconfigured services, and authentication weaknesses before an attacker can act on them. Because it operates continuously rather than periodically, it catches the drift that point-in-time testing misses. You can find out more about Hadrian's approach at /products/hadrian. The practical implication is that reducing your exposure to residential proxy-based reconnaissance is not only a detection problem. It is also a surface reduction problem. The less an attacker can find, the less they can abuse.
The Supply Chain Dimension
Residential proxy attacks rarely stay contained to one target. When attackers use distributed residential infrastructure to probe for weaknesses, they frequently do so across multiple organisations simultaneously, looking for the path of least resistance. This matters for supply chain security. A supplier or partner that shares authentication infrastructure, API access, or data exchange mechanisms with your organisation becomes a potential entry point. If their defences cannot distinguish residential proxy traffic from legitimate access, a successful credential stuffing campaign against their platform may give an attacker a foothold that extends into yours. Third-party risk management platforms like Panorays provide continuous visibility into the security posture of your supplier ecosystem, flagging weaknesses in their external-facing infrastructure that could become your problem. When your own defences are sound but a critical supplier is running authentication controls that cannot handle distributed low-volume attacks, that gap belongs in your risk register. Details at /products/panorays.
How to Protect Your Business Against Residential Proxy Attacks
IP reputation is worth keeping as one layer among many, but it cannot anchor your detection strategy against an attacker using residential proxy infrastructure. Here is where specific controls make a material difference. For network detection and monitoring, Sophos MDR provides 24/7 threat detection that goes beyond IP-based filtering. The managed detection and response service applies behavioural analysis across network telemetry, correlating low-signal events that IP reputation tools would miss entirely. When residential proxy traffic produces unusual session patterns, Sophos MDR analysts have the context to identify it as anomalous rather than dismissing it because the source IP appears clean. See the full capability at /products/sophos. For attack surface visibility, Hadrian continuously maps your external footprint and identifies the authentication endpoints, exposed services, and misconfigured assets that residential proxy-based reconnaissance would find. Reducing the exploitable surface directly reduces the value of that reconnaissance. Visit /products/hadrian for more information. For data exfiltration risk, if an attacker does establish access through credentials obtained via a credential stuffing campaign conducted behind residential proxies, BlackFog prevents the data theft that typically follows. BlackFog's anti data exfiltration technology blocks unauthorised outbound data movement at the device level, regardless of how the attacker gained their initial access. Check your current exposure at /data-exfiltration-risk. For UK businesses running unified endpoint and email security, Coro adds behavioural controls to email and cloud application access that flag anomalous authentication patterns even when they originate from clean IP addresses. Details at /products/coro. The common thread across each of these controls is a shift from asking 'where is this traffic coming from?' to asking 'what is this traffic doing?' That shift is what the residential proxy technique demands. If you want to understand how well your current defences hold up against distributed, low-signal attacks of this kind, our team can run a security assessment against your external footprint. Get in touch at /contact or check your data exfiltration risk in two minutes at /data-exfiltration-risk.
Frequently Asked Questions
What is a residential proxy and why do attackers use them?
A residential proxy routes internet traffic through real consumer broadband or mobile IP addresses rather than data centre infrastructure. Attackers use them because the originating IP addresses carry no threat intelligence flags and appear identical to legitimate user traffic, making IP reputation-based defences ineffective at detecting or blocking the activity.
Why is IP reputation no longer enough to block malicious traffic?
IP reputation works by flagging addresses associated with known malicious activity. Residential proxy networks route attacks through ordinary household and mobile connections that have no threat history. Because the same IP ranges are used by legitimate employees, customers, and partners, defenders cannot block them without disrupting genuine access. Behavioural detection is required instead.
How can businesses detect attacks using residential proxy infrastructure?
Detection requires shifting focus from source IP to session behaviour. Signals including request timing patterns, TLS fingerprinting, login failure sequences, and session interaction quality remain meaningful even when the originating IP is clean. Continuous attack surface monitoring and 24/7 managed detection and response services provide the coverage that IP reputation alone cannot deliver.