(MC34) (INCYBER) Are your devices part of a (legal) botnet? Using machine learning to detect residential proxies.

Traditional bot detection methods are no longer sufficient in the face of constantly evolving threats, particularly sophisticated bots using residential proxies to appear more human. Residential proxies are essential for fraudsters as they enable them to spread different types of attack, such as DDoS attacks and credential stuffing. They enable fraudsters to spread their attacks over thousands of IP addresses in order to bypass common detection techniques based on rate-limiting per IP and geographic blocking. Residential proxies use IPs that are also used by humans, belong to reputable ISPs and are often located in the same countries as the sites targeted in an attack. In our presentation, we will explore the ecosystem of residential proxies and the links between the various players in this field, with a view to improving the quality of bot detection In 11 months, we identified 30 million distinct IPs belonging to proxies, including over 11 million residential IPs. Some stand-alone systems like COMCAST-7922 have 3.19% of their IPs used as proxies. We also study the relationships between different proxy providers and bots as a service, revealing that most proxies providers have residential proxy IPs in common. Depending on the service, between 2.4% and 14% of proxy IP addresses are shared. Finally, we propose a supervised learning approach to detect more residential proxies belonging to other proxy providers than those studied. This model is used in production and detects around 45,000 residential proxy IPs/hour. It allows us to label over 1.9 million residential proxy IP addresses, many of which were previously unknown, such as 104,000 new IP addresses belonging to Comcast.