Resources
>
White Paper

The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic

April 2, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...

Every enterprise firewall processes traffic from residential IP space. Traditional reputation feeds fail to flag IPs that rotate before they can be cataloged. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from home internet connections β€” and 78% vanish before any reputation system can flag them.

To a reputation feed, the source IP is indistinguishable from a legitimate user's connection β€” the same ISPs, the same address ranges. Attackers route malicious traffic through ordinary home broadband, mobile data, and small-business connections β€” the same IP address ranges used by employees, customers, and partners. This report quantifies the residential proxy threat at internet scale and identifies what defenders can do about it.

What's Inside

  • The Landscape: 39% of unique IPs originate from residential address space β€” nearly double their 22% share of sessions. Each residential IP averages fewer than 3 sessions before disappearing. They are everywhere, briefly.
  • The Rotation Economy: 78% of residential IPs appear in only 1–2 sessions and are never observed again. IP reputation is structurally broken against residential proxies. The rotation rate exceeds the update cycle of any feed-based defense.
  • The Sleep Cycle: Traffic from IPs geolocating to India drops 34% at night β€” the data is consistent with compromised home PCs following the human sleep cycle. The device owners are victims.
  • The Supply Side: Worm propagation, IoT botnets, commercial proxy fleets, and VPN reconnaissance β€” four separate threats hiding behind one label, with zero IP overlap between at least two populations.
  • When Networks Die: After IPIDEA lost 40% of its nodes, operators backfilled within weeks. Every major takedown produces the same result β€” temporary disruption, then regeneration.
  • The Detection Gap: Detection must shift from "where is the traffic from?" to "what is the traffic doing?" Device fingerprinting provides more durable detection because fingerprints survive IP rotation.

The Data

  • 4 billion sessions over 90 days (November 29, 2025 – February 27, 2026)
  • 30,000-session validated sample with IPinfo IP type classification
  • 683 distinct ISP organizations across dozens of countries
  • Censys ground-truth validation confirming 42% genuinely residential endpoints, rising to 62% with compromised customer premises equipment; 38% were misclassified servers or scanners
Read the transcript

Every enterprise firewall processes traffic from residential IP space. Traditional reputation feeds fail to flag IPs that rotate before they can be cataloged. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from home internet connections β€” and 78% vanish before any reputation system can flag them.

To a reputation feed, the source IP is indistinguishable from a legitimate user's connection β€” the same ISPs, the same address ranges. Attackers route malicious traffic through ordinary home broadband, mobile data, and small-business connections β€” the same IP address ranges used by employees, customers, and partners. This report quantifies the residential proxy threat at internet scale and identifies what defenders can do about it.

What's Inside

  • The Landscape: 39% of unique IPs originate from residential address space β€” nearly double their 22% share of sessions. Each residential IP averages fewer than 3 sessions before disappearing. They are everywhere, briefly.
  • The Rotation Economy: 78% of residential IPs appear in only 1–2 sessions and are never observed again. IP reputation is structurally broken against residential proxies. The rotation rate exceeds the update cycle of any feed-based defense.
  • The Sleep Cycle: Traffic from IPs geolocating to India drops 34% at night β€” the data is consistent with compromised home PCs following the human sleep cycle. The device owners are victims.
  • The Supply Side: Worm propagation, IoT botnets, commercial proxy fleets, and VPN reconnaissance β€” four separate threats hiding behind one label, with zero IP overlap between at least two populations.
  • When Networks Die: After IPIDEA lost 40% of its nodes, operators backfilled within weeks. Every major takedown produces the same result β€” temporary disruption, then regeneration.
  • The Detection Gap: Detection must shift from "where is the traffic from?" to "what is the traffic doing?" Device fingerprinting provides more durable detection because fingerprints survive IP rotation.

The Data

  • 4 billion sessions over 90 days (November 29, 2025 – February 27, 2026)
  • 30,000-session validated sample with IPinfo IP type classification
  • 683 distinct ISP organizations across dozens of countries
  • Censys ground-truth validation confirming 42% genuinely residential endpoints, rising to 62% with compromised customer premises equipment; 38% were misclassified servers or scanners
Products
Partners
Resources
Company
Β©
2026
GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it