Announcing the Synthient IP Risk Database
Residential proxies pose numerous challenges to online platforms. Static indicators fall short, with residential proxy providers using sketchy mobile SDKs or free VPN apps to build large pools of IP addresses. Attackers can use these IP addresses to conceal their attacks making it appear as if each request is coming from a legitimate device. This latest release of Synthient V3 aims to improve the identification of leased IP addresses and the detection of active proxies.
Goal is too:
- Enable companies to recognize malicious patterns and filter out fraudulent traffic.
- Give CTI researchers and DFIR practitioners the tools needed to detect and pivot on adversary infrastructure.
Expanding Residential Proxy and VPN Coverage
One of our goals is to equip clients with the data and tools needed to detect fraudulent patterns. Knowing that an IP address is associated with a residential proxy is not enough to block the traffic outright due to the inherent nature of residential proxies. Our tests show that combining IP intelligence and specific JavaScript signals allows for the high-confidence detection of active proxies. As a result, we've made a tremendous effort to map out the largest proxy providers, achieving upwards of 99.9% coverage among the larger networks. 👉 Explore the data for yourself at search.synthient.com.
Fig 1. Numbers obtained from inquiry or publicly available information.
Challenges Faced
One of the difficulties faced in mapping proxy providers is the reseller ecosystem. Larger resellers often contact other providers, offering cheap deals to resell their products. We estimate the total number of unique proxy pools to be between 12 and 18, with most providers reselling IPs from these pools. To account for this and maximize our coverage, we will ignore white-label resellers and focus on mapping the source pools directly.
