Reflections from an IST roundtable
At the end of January, Google announced the takedown of the Chinese company IPIDEA’s “residential proxy” network. The disruption action, which was informed by research from Spur and Lumen, affected millions of consumer devices whose Internet connections were being repurposed by IPIDEA’s 13 different proxy service brands. Google removed hundreds of apps that used IPIDEA’s software libraries from its Android platform.
Why did Google take such drastic action? According to their mapping of IPIDEA’s network, in a single week, over 550 cyber threat actors, including those from China, North Korea, Iran, and Russia, used IPIDEA proxies to obfuscate their traffic. IPIDEA also enabled the creation of Kimwolf, the “most powerful botnet ever assembled,” in the words of one security researcher.
Yet, residential proxies are not a focus of policymakers. In fact, many in Washington haven’t heard of “ResProxies” at all. Last week, IST convened leaders from internet service providers (ISPs), threat intelligence organizations, and law enforcement to understand how to raise awareness about this urgent threat—and, more importantly, begin to develop practical policy solutions to combat it.
What is a ResProxy?
Proxy services are everywhere. At their core, proxy networks act as intermediaries–or waypoints–for internet traffic that make it appear to an end server as if the proxy itself originated the traffic, rather than the user of the service. They can provide security and anonymity, often acting as a firewall or web filter.
A residential proxy network is a specific type of proxy service that routes traffic through IP addresses assigned by internet service providers to their customers, often households or small businesses.
Although they have existed for decades, ResProxy networks are growing rapidly across the United States and around the globe. Due to their capacity for web scraping, ResProxies have become both more profitable and prolific. The demand for data to train AI models has led content providers to place restrictions on overt scraping activity. As a result, data aggregators are increasingly interested in obfuscating their traffic, and residential IP addresses are a convenient way to do so.
While ResProxy networks often resemble more traditional botnets, very few of their “nodes” are infected with malware. Instead, most of the devices in a ResProxy network—from Internet-connected TVs to mobile phones—are running seemingly normal software or browser extensions that also happen to turn them into traffic relays ready for usage by a ResProxy network. Some devices sold at major retailers are even programmed to join ResProxy networks out of the box. Just plug them in, and they will register with a “wrangler” as being ready to re-route requests.
Who is using ResProxies?
Proxy services can be privacy enhancing, and ResProxies in particular can allow a company to conduct geo-tagged market research and develop ads. Scraping is also a significant driver of ResProxy use, as evidenced by proxy services’ own advertising.
However, there are several factors that make ResProxies attractive for cyber criminals and other malicious actors. Unlike with major domains or enterprise-level IP addresses, it is difficult to give a residential IP address an accurate reputation score, which reflects the risk that an address is involved with malicious activity. They are ephemeral: while a certain ISP may own a specific IP range, devices (and households) that use that ISP are assigned IP addresses that change regularly. Residential IP addresses are also hard to fingerprint, as household or mobile internet habits vary significantly. The user devices in a ResProxy network do not always funnel ResProxy traffic; in a short span of time, they may also be used by legitimate household users for basic internet activities. In some cases, ResProxy traffic may even be indistinguishable from regular usage. Combating ResProxies therefore poses a significant challenge: it can be hard to flag suspicious behavior, and blocking residential IPs will almost certainly negatively impact real users on household networks. This ambiguity is incredibly appealing to cyber criminals and others to enable their malign activity. The growth in ResProxy network size and traffic volume–buoyed by web scraping and other distracting internet activity—also makes it easier for cyber criminals to blend in.
As a result, nefarious actors of all types use ResProxies. They can be leveraged to conduct denial of service attacks. More “traditional” fraudsters use localized proxy nodes, which can be procured at the ZIP code or even neighborhood level, to bypass geographic controls on bank account creation. And, of course, ransomware gangs and nation-state criminal groups use the networks to launder their command and control traffic and to exfiltrate data.
The Kimwolf botnet represented an even more disturbing use of ResProxies. By addressing traffic to local area networks, Kimwolf’s creators were able to turn ResProxy nodes into initial access points on millions of home networks, allowing for exploitation of vulnerable devices “behind the firewall.” IPIDEA’s massive footprint helped Kimwolf become one of the fastest-growing botnets of all time.
What’s a policymaker to do?
At our roundtable, we heard deep concern from network operators and cybersecurity researchers about the threat we already face from ResProxies. And the problem is only poised to grow. While there are operational steps that ISPs are already taking to share information and better coordinate with law enforcement, this is not a problem that can be solved by providers alone. We left the discussion clear-eyed about the fact that there is a lot of work to do and that we need to act with a sense of purpose and urgency. Here are some of our key takeaways and next steps:
- This topic demands more attention from policymakers. The bad guys are already making full use of ResProxies, so we’re already playing catch up. We are planning on continuing to raise awareness in Washington and with international counterparts.
- There are clear policy angles worth exploring.
- On the supply side, app stores and retailers are key points of leverage for software and hardware, respectively. What help do they need identifying ResProxy software development kits? How do evolving legal regimes (such as implementation of the Digital Markets Act in Europe) create opportunities—or barriers—to action?
- On the demand side, there is work to be done in further mapping out the ecosystem. How do proxy service providers interact with the “wranglers” that push traffic to residential devices? What underlying business relationships are enabling rapid growth?
- We are also interested in applying lessons learned from the Ransomware Task Force on disruption of clearly malicious activity, like the law enforcement takedown of 911 S5. What authorities are already available to disrupt networks and where might clarification be needed?
- We need to keep broadening the conversation. One attendee at the roundtable joked that it was the first time in a while they had been in a room where everyone knew what a ResProxy was—something that we hope to change. If you have insights to share, we want to hear them. Come find us at our Birds of a Feather session at RSA on March 24 or reach out to let us know what you’re seeing.
This commentary is the opinion of the authors.
