BSidesPDX-2025

Residential proxy networks, which reroute user traffic through residential IP addresses, present unique risks to enterprise networks and individual users. These proxies, often bundled with low-reputation applications, enable external traffic to appear as if originating from legitimate endpoints, frequently without user consent. Cisco Security's research highlights that residential proxies are 4.8 times more likely to connect to malicious domains compared to regular enterprise network traffic, underscoring the threats posed by such activity.
This research investigates the mechanics, detection, and prevalence of residential proxies, leveraging datasets from Cisco Network Visibility Module (NVM) and the open-source mercury tool. By analyzing billions of network flows and telemetry data from approximately 240,000 devices, researchers identified residential proxy activity linked to applications like Infatica and Rave Helper. These programs, while not inherently malicious, misuse enterprise resources and can serve as vectors for attacks, including click fraud, spam, and internal reconnaissance by adversaries. The research also presents a novel detection approach based on Transport Layer Security (TLS) random nonces enables robust identification of residential proxy behavior in network traffic.
This study underscores the risks posed by residential proxies and emphasizes the importance of addressing these threats to safeguard enterprise environments. By detailing threat detections for this behavior and some of the tools that exhibit it, it provides practical tools that can be leveraged to identify residential proxy behavior through network traffic analysis. These insights aim to empower organizations with actionable strategies to mitigate the misuse of their resources and reduce exposure to malicious activity.