How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Understanding Proxy Servers
A proxy server acts as an intermediary between a user's computer and the internet. When you use a proxy, your web traffic is routed through the proxy server, which masks your real IP address and replaces it with its own. Proxies are used for many reasons, including privacy, accessing geo-restricted content, and, in the context of cybersecurity, for both benign and malicious automated activities.
The two most common types of proxies used for large-scale operations are datacenter proxies and residential proxies. Understanding their differences is key to understanding modern bot attacks.
What are Datacenter Proxies?
Datacenter proxies are the most common and affordable type of proxy. As the name suggests, their IP addresses are not affiliated with a residential Internet Service Provider (ISP) like Comcast or AT&T. Instead, they are owned and operated by large datacenters and cloud hosting providers (e.g., AWS, Azure, Google Cloud).
Characteristics:
- Source: The IP addresses come from commercial datacenters.
- Performance: They offer very high speeds and low latency because they run on high-bandwidth internet backbones.
- Cost: They are relatively cheap and can be purchased in large blocks.
- Anonymity: They provide a basic level of anonymity by masking your real IP, but they are very easy to identify as non-human traffic.
Use Cases:
- Legitimate: Price comparison websites, ad verification, market research.
- Malicious: Used by unsophisticated bots for web scraping, spamming, and low-level credential stuffing attacks.
Key Weakness: Because their IP addresses belong to known datacenter IP ranges, they are easily detectable. Websites can subscribe to databases that list all IP ranges associated with hosting providers and simply block any traffic coming from them. This makes datacenter proxies ineffective against websites with even basic bot protection.
What are Residential Proxies?
Residential proxies are a more advanced and stealthy type of proxy. Their IP addresses are real, legitimate IP addresses assigned by ISPs to homeowners. Attackers gain access to these residential IPs to route their traffic through, making their requests appear to come from genuine, everyday users.
How do they work? Access to these residential IPs is often obtained through unethical or malicious means:
- Malware: A user's computer is infected with malware that turns it into a proxy node without their knowledge.
- Unethical SDKs: A free mobile app or browser extension might include a Software Development Kit (SDK) that, in its terms of service, gets the user's permission to use their device's internet connection as a proxy in exchange for using the app for free. Most users are unaware of this.
Characteristics:
- Source: The IP addresses belong to real residential ISPs.
- Performance: They are generally slower and have higher latency than datacenter proxies because the traffic is being routed through a home internet connection.
- Cost: They are significantly more expensive than datacenter proxies.
- Anonymity: They offer a very high level of anonymity. Because the traffic comes from a legitimate residential IP, it is extremely difficult to distinguish from real human traffic based on the IP address alone.
Use Cases:
- Legitimate: Ad verification (to see how ads appear in different geographic locations), accessing geo-blocked streaming content.
- Malicious: Used by sophisticated bots for credential stuffing, advanced web scraping, ad fraud, and scalping limited-edition products. They are the tool of choice for attackers trying to bypass strong security measures.
Datacenter vs. Residential Proxies: A Comparison
| Feature | Datacenter Proxies | Residential Proxies |
|---|---|---|
| IP Source | Datacenters, Cloud Providers | Residential Internet Service Providers (ISPs) |
| Detection | Easy to detect and block | Very difficult to detect based on IP alone |
| Cost | Low | High |
| Speed | Very Fast | Slower, higher latency |
| IP Pool Size | Limited to datacenter IP ranges | Massive and diverse, spanning millions of homes globally |
| Primary Use | Basic automation, simple scraping | Sophisticated bot attacks, bypassing security |
Conclusion: The Challenge for Security
The rise of large-scale residential proxy networks has made bot detection significantly more challenging. Security systems can no longer rely on simply blocking IPs from known datacenters. To combat bots that use residential proxies, modern bot management solutions must use more advanced techniques like TLS fingerprinting, browser fingerprinting, and behavioral analysis to identify the subtle signs of automation that are present even when the IP address appears legitimate.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.