How to detect residential proxies
Residential proxies use real home and mobile IP addresses, which is why they slip past the techniques that catch VPNs and datacenter proxies. Here's what actually works, what doesn't, and where the limits are.
Why residential proxies are uniquely hard
A residential proxy routes traffic through a real home or mobile internet connection. The exit IP belongs to a regular ISP - Comcast, Vodafone, a national mobile carrier - and is, by every observable network attribute, the same kind of address as the IP next door that isn't running any proxy software.
Detection methods that work by classifying the IP itself - datacenter vs residential, hosting vs ISP, known-VPN vs unknown - succeed against datacenter proxies and commercial VPNs because those endpoints use a different kind of address. They cannot succeed against residential proxies, because the address looks identical to any other home connection on the same network.
Anything that detects residential proxies has to look past the IP's ownership and ask a different question: has this IP been observed acting as a proxy exit node? Everything below is some answer to that question.
Approach 1: Network classification
The cheapest check is the one you can run from a single API call against any IP-data provider: classify the IP address by the network it sits in. Hosting and datacenter ASNs are well-catalogued, and flagging them eliminates the bulk of casual VPN and datacenter-proxy traffic.
Where this approach hits a wall
A residential proxy's exit IP sits inside a residential ISP's address space and resolves to a residential reverse DNS. None of the heuristics above can tell it apart from the home connection two doors down. They are useful as a baseline - they catch the easy stuff - but on their own they will miss every residential proxy in your traffic.
What IPHub's Basic plan covers
The Basic plan covers this baseline out of the box - VPN, Tor exit nodes, open proxies, and datacenter/hosting IP addresses, with ASN classifications largely hand-curated rather than auto-derived from registry data. It is the right tier if your traffic risk is dominated by datacenter-class proxies. Catching residential proxies on top of that needs the approach below.
Approach 2: Active P2P network monitoring
The only way to know an IP is acting as a residential proxy is to observe it doing so. In practice that means joining the peer-to-peer (P2P) proxy networks as a client and routing test traffic through them - each successful exit through a given IP is direct evidence that the IP is currently part of the network.
The output is a continuously updated list of IP addresses that have been confirmed as exit nodes, with a timestamp on each confirmation.
What this approach gets right
It is the only approach that flags an IP before a fraudster's first request hits your application. By the time application-layer signals (failed payments, suspicious login patterns) fire, the damage is partly done; an IP-level signal lets you intervene at the front door.
What it costs and where it's limited
- Coverage is bounded by which networks you can join. A network you cannot get inside is one you cannot observe.
- It needs to run continuously. Residential proxy networks rotate IP addresses aggressively, so a snapshot from last month tells you about last month's exit nodes - not today's.
- Confirmations have a freshness window. An IP confirmed as a proxy yesterday is high-confidence; an IP confirmed three months ago may have rotated out of the network entirely.
What IPHub's Professional plan covers
The Professional plan adds residential proxy detection on top of the Basic baseline, exposed as the residentialProxy classifier with confidence split into block=1 (recent, high-confidence) and block=2 (older, soft signal). The overview has the API-side picture; the best-practices guide covers integration.
The operational reality
Even with active monitoring, the signal is probabilistic, and a detection system has to acknowledge that in three places:
- Confidence decay. A "confirmed today" hit and a "confirmed three months ago" hit are not the same signal. IPHub splits these into
block=1(recent, high-confidence) andblock=2(older, soft signal). See the overview's FAQ entry onblock=2. - Shared-IP false positives. CGNAT, mobile carrier pools, and dynamic residential IP addresses all share an address across many subscribers. One subscriber running proxy software is enough to flag the shared IP for everyone behind it. The best-practices guide's section on false positives covers the patterns and how to keep legitimate users out of the blast radius.
- Cache TTLs. Residential proxy IP addresses rotate continuously, so long cache windows let stale verdicts pile up. The caching section of the best-practices guide has concrete TTL guidance.
Detection is one input to a decision, not the decision itself. The right response to a flagged IP depends on what action it's about to take - logging on a content page, friction on account creation, manual review on a payment - and the best-practices guide's response patterns map signal strength to response.
Frequently asked questions
Reliably enough to be useful, not perfectly. Active monitoring of P2P proxy networks produces a continuously updated list of confirmed exit nodes, but residential proxy IP addresses rotate, networks change, and any single IP carries some chance of being a false positive. The right framing is that detection gives you a high-value signal to combine with your own behavioural and account-level signals - not a verdict to act on alone.
A commercial VPN's exit IP addresses sit on hosting infrastructure owned by the VPN provider, so they're identifiable by ASN, hostname, and reputation data. A residential proxy's exit IP addresses are real residential ISP addresses, indistinguishable from any other home connection by ownership data. VPN detection is largely a list-and-attribute problem; residential proxy detection requires actively observing the proxy networks themselves.
In principle, yes. In practice, the operational lift is the hard part: you need to identify which P2P proxy networks matter for your traffic, get a client into each one, route traffic through them continuously, capture exit-node IP addresses, store and serve the resulting list with low-latency lookups, and keep the whole pipeline running as networks change.
For most teams, the cost of standing that up and keeping it healthy outweighs the cost of consuming a feed from a provider that already runs it. The same logic applies to most IP-reputation problems; residential proxies sit at the harder end of the spectrum.
Accuracy depends on the freshness of the underlying data and the structure of the IP. A high-confidence hit (IPHub returns this as block=1) means the IP was confirmed acting as a proxy recently enough to trust the verdict. Older observations come back as block=2 - still useful as a soft signal, but with the IP having had more time to rotate out. False positives concentrate on shared addresses (CGNAT, mobile carriers, dynamic residential IP addresses); the best-practices guide covers how to handle them.
Continuously. The exit-node population of any given P2P proxy network turns over on the order of hours - new IP addresses join as users install bandwidth-sharing apps, others drop off as devices go offline or rotate addresses. Detection that runs against a static list goes stale fast; detection that consumes a continuously updated feed stays useful.
Related
- Residential proxy detection overview - what it is, who needs it, the API response.
- Best-practices guide - response patterns, false positives, caching, and handling user reports.
- Residential proxy database - downloadable feed in CSV or MMDB.
- API documentation.
Ready to look an IP up?
Free lookups are available without an account. Residential proxy detection is included in the Professional plan.