Abstract
Residential IP Proxies (RESIPs) enable proxying out requests from a vast network of residential devices without inserting any information revealing it. While RESIPs can be used for legitimate purposes, previous studies also associate them with malicious activities. In our last work, we proposed a server-side detection method for RESIP connections based on the difference in the Round Trip Time at the TCP and TLS layers. In this new work, thanks to real-world connections, we investigate if and how specific factors in the client environment influence the technique. We show that genuine users utilizing web browsers or performing hotspots do not result in false positives for our technique. Moreover, our early results suggest that false positives caused by Mobile TCP Terminating Proxies used by mobile Internet Service Providers have a Round Trip Time difference higher than the detection threshold but much smaller than the average RESIP one. This suggests that we can reduce these false positives by highering the detection threshold for mobile connections.
Elisa Chiapponi
Security Researcher
Security Researcher in the Application Security Operation Center at Amadeus