Researchers warn that short-lived, systematically rotated residential proxies make malicious traffic indistinguishable from legitimate home users and undermine IP reputation systems. GreyNoise’s analysis of 4 billion edge sessions found roughly 39% appearing to originate from home networks with 78% invisible to reputation feeds, and the company recommends shifting to behavior-based detection. #GreyNoise #IPIDEA
Keypoints
- Short-lived and rotated residential proxies prevent timely cataloging by IP reputation systems.
- GreyNoise analyzed 4 billion malicious sessions over three months to reach its conclusions.
- About 39% of sessions appear to come from home networks, yet 78% evade reputation feeds.
- Most residential IPs are used for scanning and reconnaissance and come from diverse ISPs and countries like China, India, and Brazil.
- Researchers advise abandoning IP reputation as a primary signal and prioritizing behavior-based detection such as sequential-probing detection and persistent device fingerprints.