For hackers, distributing attacks across many IP addresses gets easier—and cheaper—each day.

Proxies enable attackers to change their IP address regularly. The ability to distribute an attack over thousands of different IP addresses allows an attacker to avoid being detected and blocked by traditional approaches such as rate limiting.

While most proxies require payment, several websites provide a list of free proxies that can be accessed by anyone. Although free proxy distributors claim they are intended for humans who want to hide their IP addresses for privacy purposes, DataDome detects free proxies being heavily used by malicious bots to conduct attacks. Let’s explore some questions and statistics around free proxies.

• Why are the proxies free?
• Should security engineers just block free proxy IPs?
• Free Proxy Statistics
• How are free proxies used in the wild by attackers?
• What type of attacks are conducted using free proxies?
• Are free proxies always free?
• Investigating a DDoS Attack Using Free Proxies
• How You Can Respond to Free Proxies

Why are the proxies free?

Most of the time, free proxies are an SEO technique employed by websites to attract users in order to later upsell them non-free proxies of higher quality (more up-time, lower latency, and better reputation).

Free proxies tend to be of low quality. Most are located in data centers (often linked to fraud in common IP reputation databases) or belong to ISPs with bad reputations. In addition to their poor reputation, free proxies are highly unstable. They are often down and exhibit random spikes of latency, making their use unreliable at scale.

As a security engineer, should I just block free proxy IPs?

No. Blocking all free proxy IPs by default can be risky, since some IPs are heavily shared—particularly in developing countries. You can adopt a more nuanced approach that is more aggressive with free proxies linked to data center autonomous systems, but you should generally use this information as one among many signals to make your decision (whether to block traffic, show a CAPTCHA, etc.). 

Moreover, as for all reputational signals, it’s important to ensure you have a retention time or expiration date set when it comes to flagging/blocking IPs, because IPs can be shared and reused by other people.

Free Proxy Statistics

At DataDome we search dozens of free proxy websites and Github repositories to gather a history of IP addresses used as free proxies. This signal is taken into account by our detection ML models to block fraudulent traffic.

To ensure these IPs are actual proxies (and avoid a pollution attack which would post fake “legitimate” IPs, so they get flagged), we test each proxy.

One interesting fact we observe is that the majority of free proxy websites have a lot of overlapping free proxies. It’s highly likely they scrape each other and publish the same data across websites.

How are free proxies used in the wild by attackers?

Traffic originating from free proxies represents <1% of the total traffic we observe on the websites and applications we protect. However, a significant fraction of the free proxy traffic is malicious (>95%).

The graph below shows the number of bad bot requests originating from free proxies over a one-week period. Within one week, we observed several significant spikes of malicious traffic, each one representing more than 500K malicious requests:

Graph 1: Bot requests originating from free proxies over time.

The map below shows the geographical distribution of bad bot traffic originating from free proxies. We encounter free proxies all around the world, with clusters in the US, South America, and Europe.

Graph 2: Geographical distribution of bot requests originating from free proxies.

Regarding the autonomous systems linked to free proxies, we observe a majority of IP addresses that belong to data center autonomous systems (~70%), vs. ~17% linked to residential ISPs. 

Graph 3: Type of autonomous system associated with free proxies (residential vs. data-center).

The table below shows the number of malicious bot requests originating from free proxies per autonomous system.

What type of attacks are conducted using free proxies?

Bots originating from free proxies conduct a wide spectrum of attacks: scraping, account takeover, vulnerability scanning, and DDoS attacks.

We don’t observe any scalping activity on free proxy IPs, which makes sense because scalping requires fast and reliable proxies to secure limited-edition items before other bots and human users.

When it comes to vulnerability scanning, we see a continuous stream of malicious activity coming from free proxies. For example, approximately 20.2% of free proxy IPs are trying to detect the presence of the Log4j vulnerability.

Are free proxies always free?

DataDome’s threat research team subscribes to several proxy providers to continuously monitor their proxy IP addresses. Over a one-week period, we noticed that 26.9% of the free proxy IPs we monitored were also offered/rented by at least one of the  paid proxy providers we infiltrated. Thus, some “free” proxies are monetized by other proxy networks.

Investigating a DDoS Attack Conducted Using Free Proxies

We focused on the biggest spike of traffic from Graph 1 that occurred on July 3 and 4, 2022.

If we split the traffic that occurs during this spike by customer, we observe that bots mainly targeted four different websites/applications, with a spike of over 550K bad bot requests per minute. 

Websites and applications targeted belong to different categories: e-commerce, classified and community/social network. Each customer is represented by a unique color in the graph below.

Graph 4: Bot requests originating from free proxies over time per customer.

The malicious traffic targeting the four different customers seems to be linked to the same attacker, even though the customers don’t share anything in common. All the requests targeted insignificant pages: home page and category pages.

From a fingerprinting point of view, the different spikes don’t share a significant number of common characteristics (besides all having malformed and outdated fingerprints). All spikes have different HTTP headers: user-agents (randomized on some customers and not on others), accept language (sometimes present, sometimes missing). 

None of the bots involved in these spikes executed any JavaScript (JS), which is something we tend to observe outside of this particular series of attacks. In general, bots operating from free proxies are simple: no JS execution, poor or no cookie support, and inconsistent/outdated fingerprints.

Even though free proxies are low quality (high latency, bad reputation) they can cause significant damage if you’re not protected. Attackers can put their hands on a significant number of free proxies that can be used for any purpose—ranging from DDoS to credential stuffing and vulnerability scanning.

How You Can Respond to Free Proxies

You can search free proxy websites or open- source GitHub repositories updated daily (e.g. github.com/clarketm/proxy-list, free-proxy.cz/en/, and free-proxy-list.net/) that check free proxy sites for you, then aggregate and update the data.

Whether or not an IP address is linked with free proxies is a good signal to take into account for bot and fraud protection. Just remember that blocking the whole IP is risky, since many IPs are shared.

Blocking per IP is not enough and can be dangerous with shared IPs. Moreover, while blocking an IP may stop one attack, sophisticated attackers will adapt. They may start forging their signatures, adapting their behavior, or using cleaner residential IPs to appear more human.

That’s why it’s important to capture many different types of signals to protect your endpoints against sophisticated attacks in real time. And that’s how an advanced solution like DataDome’s detection engine stops bots before they reach your data.