Why Some Attacks on a Server Are Harder to Identify

Posted on Monday, May 04 2020 @ 15:03 CEST by Thomas De Maesschalck
Cyberattacks are growing not only in numbers but also in complexity. Today’s cyberattacks no longer rely on user-specific actions or security holes waiting to be exploited. Attackers actively search and develop new ways of launching their attacks, including through the use of new technologies and improved social engineering approaches.

One of the growing trends online is attackers using sophisticated techniques to anonymize malicious traffic, mainly for the purpose of making their attacks more difficult to identify and trace back. Without clear attack sources and footprints to investigate, it is even more difficult for security experts to identify attack vectors and types.


One of the techniques used to anonymize malicious traffic is routing it through residential proxies. Before we get to how this technique is executed – and how it is very dangerous for victims – we must first take a closer look at residential proxies.

Residential proxies are basically a new type of attack infrastructure used by cyber attackers. As the name suggests, residential proxies – also known as bulletproof proxies – are home devices, usually a router, an IoT device, or a wireless access point, used to route malicious traffic to target servers.

The development of bulletproof proxies starts with attackers discovering exposed network devices that belong to home users. The exposed devices are then captured and injected with bots that are designed specifically to facilitate cyberattacks.

Once captured, attackers can utilize local, home networks to send and redirect traffic at any time. Routers that have been injected with bots can be used to send a massive amount of traffic as part of a DDoS attack, for example.

Since these devices are also used by home users for legitimate activities, it is difficult to flag them as a bot or a malicious source of traffic. This is why residential proxies are also known as bulletproof proxies: they are nearly impossible to trace.

Bulletproof Proxies in the Open
The statistics behind bulletproof proxies are just as frightening. For starters, bulletproof proxies are now offered as services. For as little as $75, attackers can gain access to more than 10 million residential IP addresses. This means large scale attacks are no longer difficult to launch.

The distribution of residential IP addresses captured by service providers is also massive. IP addresses from different regions are available. Some of the most robust service providers can offer up to 10 million proxies in different parts of the world.

What’s even scarier is the fact that bulletproof proxy service providers know that the network is being used for attacks and other malicious purposes. Surveys showed that bulletproof proxy providers usually see a large Bitcoin deposit before a large-scale attack. Bulletproof proxies can be used to launch different kinds of attacks. Aside from DDoS, which is the obvious way of using the vast network, attackers can also target mobile application and web service endpoints, mainly for phishing or spoofing.

Financial apps and web services are the primary targets of such attacks. Thanks to the lack of downtime with such a robust network of proxies, attackers can launch and sustain an attack over a longer period of time, resulting in more personal details captured in the process.

Still with Legitimate Use Cases
While bulletproof proxies are commonly exploited by attackers, there are still legitimate reasons why such a service is valuable. Some residential proxy networks actually use legitimate means, such as offering users rewards for sharing their internet connectivity, to grow their networks. Once the network is sizeable and robust enough, it can then be used to do various things.

Web content scraping is the most common use of a bulletproof proxy service. Rather than manually changing IP addresses or using conventional proxy servers, a web scraping tool can perform its tasks faster and more efficiently by utilizing millions of IP addresses belonging to legitimate home users. It is nearly impossible to detect scraping done this way.

Anonymity and demand for fewer geolocation restrictions are also common reasons why many users choose to utilize a bulletproof proxy. Once again, the lack of footprints and other common signs of a proxy server make residential proxies more capable of bypassing any content restriction and fooling tracking software.

A Security Challenge
Residential proxies always look like real users. Security experts and internet security companies are working hard to find ways to identify footprints of attack bots that use residential IP addresses. Additional security measures to overcome this attack vector are also being developed before a network is used to launch a catastrophic attack against a key web service or infrastructure. Nevertheless, bulletproof proxies make some attacks incredibly difficult to identify, even when the victim’s server incorporates all the security measures available. The world is looking forward to a solution to this form of cyberattack.