What are ISP proxies and why do bot operators love them?

The DataDome threat research team focuses a lot of our efforts researching proxies because proxies are one of the key components used for scaling bot attacks. While small attacks can be easily conducted from a few virtual machines rented by an attacker, heavily distributed attacks (whether the purpose is scraping, scalping, or credential stuffing) often utilize proxies to make it look like requests are coming from a lot of devices all around the world.

Different Types of Proxies

There are different types of proxies. Residential proxies are located on residential IPs from well-known Internet Service Providers (ISPs), such as AT&T and Comcast, while data center proxies have IPs that are owned and managed by data centers. 

But there’s another type of proxy that ties the benefits of residential proxies and data center proxies together—that is an ISP proxy (formerly known as a “static residential proxy”).

ISP Proxies vs. Residential Proxies: Why does it matter?

An ISP proxy is an IP address hosted in a data center but registered under the name of an ISP. With an ISP proxy, the IP appears to be linked to an ISP (particularly one with a good reputation such as AT&T or Verizon) even though the IP is actually located in a data center. 

ISP proxies combine the best of both worlds:

1. The speed and reliability of data center proxies.
2. The good reputation of residential proxies.

ISP proxies get the benefits of both data center proxies and residential proxies—resulting in high-speed, high-quality IP addresses that can easily circumvent IP-based security solutions.

Residential proxies are IPs linked to ISPs, but are not located in data-centers. Instead, residential proxies route requests through real user devices. Most of the time, these proxies are obtained using malicious browser extensions, mobile SDKs, and infected devices.

What are static residential proxies?

Static residential proxies are the same as ISP proxies; just another, older term for them. The term “static residential proxies” was used because, contrary to residential proxies—which have IPs located on human-user devices that can travel and move across different networks, plus internet providers that can change the IPs—ISP proxies are located in data-centers.

What are ISP proxies used for?

ISP proxies can be used for any large-scale online operation where someone wants to stay under the radar. Ideal for web scraper bots, scalper bots, or low-and-slow network layer attacks. They are also used for social media monitoring, SEO monitoring, and anything that requires managing multiple online accounts.

ISP proxies are very popular among scalpers who want to check out large quantities of limited edition products as soon as they become available. 

Most residential proxy providers also offer ISP proxy plans. In general, the price is slightly higher for ISP proxies, and users need to pay for each IP address they use (contrary to residential proxies, where users often only pay for the bandwidth).

In a previous blog post, we presented one of the machine learning (ML) models we use to flag shared residential proxies. But to detect ISP proxies, in particular private ISP proxies, we adopt a different approach. 

People are willing to pay extra to use ISP IPs privately, so the nature of the bot traffic originating from private ISP IPs is different from traffic originating from shared residential proxies. That’s why we developed specific approaches to detect private ISP proxies (to be covered in future articles).

Use of ISP Proxies in the Wild

Using customer data, we measure ISP proxy use by bad bots and see how it impacts websites and mobile applications in the wild.

Statistics

Traffic originating from private ISP proxies can be safely blocked. The tables and graphs below show statistics about traffic originating from ISP proxies that was blocked (not only classified) by DataDome. We get an additional level of confidence in the data since we know it is traffic we observed and blocked in production, which didn’t engender any false positives.

The table below shows the distinct number of IPs flagged as ISP proxies on which we blocked traffic over a two-week period per autonomous system.

The two biggest providers of ISP proxy IPs are AT&T and Sprint. They respectively have 139K and 131K distinct ISP proxy IPs that got blocked over a two-week period on websites and mobile apps protected by DataDome. 

We also see other well-known American ISPs such as:

• Comcast: 29K ISP Proxy IPs
• Verizon: 20K ISP Proxy IPs

Another thing we observe is that the size of IP ranges (CIDR) linked to ISP proxy IPs are relatively small, mostly between /18 (16,384) and /24 (256), which confirms the findings of other security researchers who have worked on ISP proxies.

Note that not all small CIDRs originating from ISPs are necessarily used as ISP proxies. Among them are many corporate/organization IP ranges.

How do ISP proxies impact websites and mobile applications?

The graph below shows the number of bot requests originating from ISP proxies over time for the top two most targeted autonomous systems.

Over a two-week period, we observed a constant stream of bad bot requests originating from AT&T ISP proxies. The volume was more than 200M bad bot requests per day from AT&T private proxies alone.

How are bots using ISP proxies to attack businesses?

As we explained before, ISP proxies tend to be even more expensive than residential proxies, especially private ISP proxies that are not shared by several users.

Thus, it’s not surprising to observe that the majority of bad bot requests originating from ISP proxies are scalper bots, as shown on the pie chart below.

Note that there is some overlap between scalping and scraping. Indeed, a significant volume of the bots that make requests to buy limited edition products are just testing the availability of the product to be the first to get a grasp on it. Requests that mostly target product pages or product related APIs are classified as “scraping”, but they are part of a more global scalping attack.

Which industries are most targeted by bots operating from ISP proxies?

Among our top 20 customers most targeted by ISP proxies, no industry is spared. While e-commerce websites and apps are the most targeted, we also see a heavy use of ISP proxies to scrape classified websites and transportation websites.

ISP proxies are also used for credential stuffing and fake votes/views on social networks and streaming services. Moreover, high-quality ISP proxies are used to conduct fraud (like ad fraud, for example).

How advanced are bots operating from ISP proxies?

Bad bots operating from ISP proxies tend to be very advanced. Given the high price of ISP proxies, bot developers that leverage them tend to have already implemented the usual quick wins such as:

• Forging Fingerprints
• Having Consistent HTTP Headers
• Executing JS and Supporting Cookies
• Forging CAPTCHAs

It’s likely that a growing number of sophisticated bots coming to your website, mobile app, and APIs are using ISP proxies, yet we don’t see a significant volume of simple bots operating on them. Thus, if your website or mobile apps are targeted by bots operating from ISP proxies, simple protection techniques such as IP address rate limiting policies or traditional CAPTCHAs won’t help. 

Because ISP IPs are of high quality, you cannot rely exclusively on IP-based security solutions to stop these threats (one of the reasons why WAFs fall short).

Conclusion

Private ISP proxies combine the speed and reliability of data-center proxies and the good reputation of residential proxies. Since they offer a low latency connection that appears to come from reputable autonomous systems, ISP proxies are heavily used by scalper bots to buy limited edition sneakers, gaming consoles, GPU, and NFTs. 

An analysis conducted on websites and applications protected by DataDome shows that no industry is spared from bots operating on ISP proxies. From e-commerce websites and mobile apps to classifieds and social networks, all industries face significant volumes of sophisticated bad bot traffic originating from ISP proxies.

That’s why it’s best to rely on a fraud management solution that takes into account much more than the quality of a request’s IP address. A thorough solution will look at fingerprints, HTTP headers, browsing behavior, device versions, user agents, and much more. 

DataDome’s bot detection and online fraud solution protects websites, mobile apps, and APIs from all forms of bad bots, blocking them within milliseconds of their arrival. To see how many bots are currently reaching your website today, start your free trial. It only takes a few minutes to set up and requires no credit card information.