Sponsored By

News, news analysis, and commentary on the latest trends in cybersecurity technology.

3 Ways Security Teams Can Use IP Data Context

Innocently or not, residential proxy networks can obscure the actual geolocation of an access point. Here's why that's not great and what you can do about it.

Jonathan Tomek

March 3, 2023

4 Min Read
Diorama of a fake house with blue door, with fake cottony clouds and snow covering a fake pine tree
Source: Cipri Suciu via Alamy Stock Photo

With so much of the world’s wealth, assets, and trade secrets existing in the cloud, fraudsters and nefarious players have ample motivation to look for new ways to break into networks. Increased VPN usage provides opportunities for threat actors to operate with nearly total anonymity, and we are seeing an uptick in breaches stemming from the widespread use of commercial or anonymous VPNs.

As a cybersecurity practitioner, I continually stress the importance of examining the context of VPN-driven data. Let's look at the top three trends I see emerging, as well as the role that IP address data will continue to play in the world of cybersecurity and ad fraud.

1. Residential Proxy Networks Will Keep Security and Marketing Teams Up at Night

I am amazed by the growing number of entities offering residential proxy networks and promising a world of possibilities in scraping — search engine results pages, e-commerce sites, and webpages. Residential proxy networks use the IP addresses of consumers who sign up for any number of apps that pay them to share their bandwidth. The website or service will see requests coming from what they think are residential IP addresses and allow access to content that would have been blocked had the site been able to see the original IP address.

If I wanted to, I could access or scrape any site that restricts hosted or bot traffic by disguising myself using a legitimate residential IP address from whatever location I wanted.

Many of these apps are upfront with the users who opt to share their bandwidth, but some are more nefarious players, offering users access to a VPN without telling them that their IP addresses will be shared. In such cases, those IP addresses can be used to scrape websites, commit fraud, or launch distributed denial-of-service (DDoS) attacks.

The existence of residential proxy networks is quite troubling for organizations. Marketing teams may be paying for traffic they believe to be legitimate but is actually fraudulent.

Let's say an ad farm sets up a website for the sole purpose of selling ad space via the open-market exchanges. Your company may be led to believe it's a legitimate website that receives lots of consumer traffic in your target markets and which you verify by checking the IP address type and location. But how do you actually distinguish between real users and hosted or bot traffic hiding behind and proxy residential IDs? Without additional context around residential IPs, you can't make that distinction.

2. Security Teams Will Realize That WAFs Have Blind Spots

Every organization has multiple layers of security, including Web application firewalls (WAFs).

A WAF protects your Web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a Web application, preventing unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that helps determine which traffic is malicious and which is safe. If, for instance, corporate security policy mandates that all non-residential IP addresses and addresses from a specific geolocation should be blocked, the firewall will block all traffic that matches those criteria.

Unfortunately, the proliferation of residential proxy networks means WAFs have a significant blind spot: Knowing the traffic is residential and has a geolocation that is permissible is no longer sufficient. While organizations deploy WAFs to protect against things like scraping and DDoS attacks, these tools can also be tricked into providing access when they shouldn't. Security teams need a lot more context around IP addresses to understand their incoming traffic.

3. Security Teams Will Find Ways to Detect Residential Proxy IPs

In the face of these networks, context is your best defense. Security teams should ask critical questions about incoming traffic, such as:

  • Is this traffic proxied or VPN?

  • How many devices are connected to that IP address? (If you see hundreds of devices connected to an IP address, it’s probably not an individual person.)

  • Is the IP address stable? Has it been in the same location for 20 weeks?

  • Is the IP address part of a known residential proxy network that’s being used for other things?

All of this VPN-driven data and context provides vital clues that can protect marketing budgets as well as corporate networks.

IP address intelligence data isn’t the panacea for securing a network, but it can go a long way in providing the context security teams to identify when unusual activities are occurring and to investigate further. It can also help them enforce digital access rights, ensuring that users in prohibited or embargoed areas are restricted from accessing certain digital assets.

About the Author(s)

Jonathan Tomek

VP of Research and Development, Digital Element

Jonathan Tomek is VP of Research and Development at Digital Element. Jonathan is a seasoned threat intelligence researcher with a background of network forensics, incident handling, malware analysis, and many other technology skills.

Jonathan served in the United States Marine Corps. He worked at multiple threat intelligence companies, and built their threat capabilities to include identifying tactics, techniques, and procedures of malicious actors. He led several technical cybercrime and espionage teams in their initiative to enhance technical efficiency in malware analysis, malicious actor tracking, and tool development.

He is a co-founder of THOTCON, a world-renowned hacking and security conference hosted in Chicago. As a researcher and leader, he has spoken at many security conferences around the world. He has won or placed in multiple national hacking competitions, including DEFCON CTF.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights