Can You Spot the Bots Hiding in Rotating Residential Proxies?

In the cybersecurity world, it’s common knowledge that threat actors rely heavily on datacenter proxies to mask their own IP and keep their anonymity when partaking in illegal and fraudulent activity. However, given that it’s easy to identify a datacenter by their autonomous system number (ASN), it’s fair to say most security solutions would have little difficulty blocking the datacenter from a targeted website, if malicious activity was suspected.

This has given rise to a new approach of masking bot activity – through rotating residential proxies (RRP).

What is a rotating residential proxy?

Rotating residential proxies allow for the proxying of network traffic through home internet connections. Allocating genuine residential IPs gives users anonymity within a sea of traffic that is usually deemed less suspicious.

Bot operators get their hands on residential IPs via various means:

• Individuals sell on their unused bandwidth to a proxy provider
• Some mobile apps are monetized by using up the device’s IP address instead of showing ads, feeding residential proxy networks
• ISPs rent out unused bandwidth and IPs to proxy servers

Bots are like the internet’s worst house guests, and rotating residential proxies help them to look right at home within the target platform’s web traffic. Combining the use of bots with the use of rotating residential proxies allows the illicit activity to blend in amongst genuine customer activity.

Enlisting rotating residential proxies essentially guarantees the threat actor that the bots deployed will be able to carry out requests at speed, with a much higher likelihood that they will operate without challenge by client-side security measures.

Why does activity being masked by rotating residential proxies go undetected?

A credential stuffing attack sends hundreds of requests per second, rotating stolen usernames and credentials using brute force to takeover legitimate customer accounts. The difference between doing this from one anonymized IP or relying on datacenter’s IP range – which is usually straightforward to identify by the fact they share the first few integers – is that, anonymized or not, this type of activity can be easily identified by most security solutions at the point of log-on.

By distributing suspicious requests amongst several IPs deemed unsuspicious in nature, the motive of attacks can be very easily concealed, as can the scale of requests involved in such an attack by being interwoven between genuine customer requests. Without being flagged as suspicious activity, unlimited requests going unchallenged can stockpile limited items, or scrape competitors to gain pricing advantages. It is common for businesses that are a target of a bot attack masked by rotating residential proxies to not even know they are or have been a target.

Protect your business from rotating residential proxies with Netacea

JavaScript is perhaps the most common security feature deployed by businesses, to block threats at the point of a log-in feature, for example. However, if your solution to bots relies on JavaScript alone, they will likely miss an attack of this sophistication.

Client-side JavaScript and mobile SDKs can be a security and privacy risk to you and your customers. Relying on any client-side functionality to perform security is putting your defenses into the hands of the attackers to develop bypasses.

Netacea has identified a multi-layered approach to be the most effective way to protect any web interfacing platform. Our bot management solution has been designed to handle the level of data and complexity of analysis required to identify bots in this way. The solution works by analyzing web logs in real time and combining this with historic trends to analyze user behavior and determine the intent of traffic.

To find out more about Netacea’s unique approach to stopping sophisticated bot threats, sign up for a free trial with us.