Resident evil: Understanding residential IP proxy as a dark service

Xianghang Mi, Xuan Feng, Xiaojing Liao, Baojun Liu, Xiaofeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, Limin Sun, Ying Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

38 Scopus citations


An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages17
ISBN (Electronic)9781538666609
StatePublished - May 2019
Event40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States
Duration: May 19 2019May 23 2019

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011


Conference40th IEEE Symposium on Security and Privacy, SP 2019
Country/TerritoryUnited States
CitySan Francisco

Bibliographical note

Funding Information:
ACKNOWLEDGMENT We are grateful to our shepherd Professor Matthew Smith and the anonymous reviewers for their insightful and helpful comments. The IU authors are supported in part by NSF 1408874, 1527141, 1618493, 1618898 and ARO W911NF1610127. Also, authors from Tsinghua University are supported in part by the National Natural Science Foundation of China (grant 61772307) and CERNET Innovation Project NGII20160403.

Publisher Copyright:
© 2019 IEEE.


  • Anonymity
  • Embedded-systems-security
  • Malware-and-unwanted-software
  • Network-and-systems-security
  • Residential-IP
  • Residential-IP-proxy-as-a-service
  • Residential-proxy
  • Security-and-privacy-for-the-Internet-of-Things
  • Web-proxy


Dive into the research topics of 'Resident evil: Understanding residential IP proxy as a dark service'. Together they form a unique fingerprint.

Cite this