The Threat of Residential Proxies
The Threat of Residential Proxies
住宅代理的威胁
Cryptography & Security Newsletter 138 密码学与安全通讯第 138 期
30 June 2026 2026 年 6 月 30 日
Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It’s designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić. Feisty Duck 的《密码学与安全通讯》是一份定期发布的简报,为您提供有关密码学、安全、隐私、SSL/TLS 和 PKI 的评论与新闻。它旨在让您随时了解该领域的最新动态。每月有超过 50,000 名订阅者阅读。作者:Ivan Ristić。
The last several years have seen the continuous rise of so-called residential proxies. If you’re not familiar with this term, the name refers to the proxies usually (but not always, as we will see later) installed at residential addresses and used for website scraping and similar activities. It’s a fairly niche topic, and it’s quite likely that you won’t have heard about it. It is, however, a phenomenon that requires your attention. 过去几年里,所谓的“住宅代理”(residential proxies)持续兴起。如果您对这个术语不熟悉,它指的是通常(但并非总是,稍后我们会看到)安装在住宅地址,并用于网站抓取及类似活动的代理服务器。这是一个相当小众的话题,您很可能没听说过。然而,这是一种需要您关注的现象。
What Are Residential Proxies?
什么是住宅代理?
A great number of services on the Internet try to walk the fine line between providing their wares to the general public while also detecting and eliminating unwanted traffic. Take scraping, for example. It’s ever popular, but increasingly difficult to do. If you try to monitor some of the top websites from a single IP address, you will often end up being blocked, and quickly. If you then try to scale your scanning to use multiple IP addresses from servers at various cloud providers, you’ll find that data center traffic is very often blocked wholesale. Looking for a solution, it’s usually at this point that you learn about the existence of residential proxies. 互联网上的许多服务都在努力寻找平衡点:既要向公众提供服务,又要检测并消除不必要的流量。以网页抓取为例,它一直很流行,但难度却越来越大。如果您尝试从单个 IP 地址监控某些顶级网站,通常很快就会被封锁。如果您随后尝试通过使用来自不同云服务商服务器的多个 IP 地址来扩展扫描规模,您会发现数据中心流量往往会被全面封锁。在寻找解决方案时,通常就是在这一刻,您会了解到住宅代理的存在。
Scraping is often not desired, but it’s not necessarily illegal. Intensive scraping, however, is definitely a problem that websites need to deal with. Those reaching for residential proxies exist on a spectrum from entirely legitimate (as anyone wanting to do any sort of paid network monitoring can attest to) to nefarious. Criminals attempting to exploit websites, for example, often reach for residential proxies to hide their tracks. 抓取行为通常是不受欢迎的,但不一定是非法的。然而,高强度的抓取绝对是网站需要处理的问题。使用住宅代理的人群范围很广,从完全合法的(任何想要进行付费网络监控的人都可以证明这一点)到极其邪恶的都有。例如,试图利用网站漏洞的犯罪分子经常使用住宅代理来隐藏行踪。
Recently, the rise of AI and AI agents has further increased the demand. For example, the AI vendors want to train on the content available on the Internet. In addition, individuals using AI want to give their tools the same unrestricted access that they enjoy. It is now believed that bots generate more internet traffic than humans. Perhaps this is a problem we can address by balancing the economy of scraping, by finding a way for the bots to pay for their access. (Cloudflare had this idea in 2025 and later created the x402 standard with Coinbase. AWS recently added support for this payment protocol to their WAF product.) 最近,人工智能和 AI 代理的兴起进一步增加了需求。例如,AI 厂商希望利用互联网上的内容进行训练。此外,使用 AI 的个人也希望赋予他们的工具与自己同等的无限制访问权限。目前人们认为,机器人产生的互联网流量已经超过了人类。也许我们可以通过平衡抓取经济,找到让机器人为其访问付费的方法来解决这个问题。(Cloudflare 在 2025 年提出了这个想法,并随后与 Coinbase 共同创建了 x402 标准。AWS 最近在其 WAF 产品中增加了对该支付协议的支持。)
It’s Worse Than You Think
情况比你想象的更糟
To start a residential proxy operation, you need a great many network endpoints all around the world. But how do you build such a network? As it turns out, there are two approaches. One is where you’re pretending that you’re doing it legally. You create software development kits for popular devices that exist in large numbers—for example, mobile phones and TVs—and then entice software developers (with money, of course) to embed your proxy software in their applications. In the worst case, the proxy code is silently deployed alongside the applications, which are often provided for free. In the best case, a consent screen is presented to end users, and they opt in to operate a proxy exit node, but does anyone really believe that such consent is informed? If you’d like to understand more, read this recent report from Include Security. According to Synthient, most victims are, well, residents. 要启动住宅代理业务,您需要在全球范围内拥有大量的网络端点。但如何构建这样的网络呢?事实证明有两种方法。一种是假装合法经营。您为大量存在的流行设备(例如手机和电视)创建软件开发工具包(SDK),然后(当然是用金钱)诱使软件开发人员将您的代理软件嵌入到他们的应用程序中。在最坏的情况下,代理代码会随应用程序静默部署,而这些应用程序通常是免费提供的。在最好的情况下,会向最终用户显示一个同意界面,让他们选择加入以运行代理出口节点,但真的有人相信这种同意是知情的吗?如果您想了解更多,请阅读 Include Security 最近的这份报告。据 Synthient 称,大多数受害者其实就是普通居民。
The other approach is to build your network in any way you can, using any means, including the very illegal ones. Hacking into routers is always effective, but enterprising criminals are getting much more creative than that: it’s documented that many of the cheap devices one can buy come with residential proxy malware preinstalled. Imagine this: you buy a nice digital frame for your family photos. Unbeknownst to you, the frame is a Trojan horse, and you’re now part of a botnet. KrebsOnSecurity published an in-depth report on how some of these networks operate. 另一种方法是不择手段地构建网络,包括使用非常非法的手段。入侵路由器总是有效的,但进取的犯罪分子比这更有创意:有记录显示,许多可以买到的廉价设备在出厂时就预装了住宅代理恶意软件。想象一下:您买了一个漂亮的数码相框来放家庭照片。在您不知情的情况下,这个相框是一个特洛伊木马,而您现在已经成为了僵尸网络的一部分。KrebsOnSecurity 发布了一份关于其中一些网络如何运作的深度报告。
Your Local Network Is Under Attack
您的本地网络正受到攻击
It’s easy to think that this is not a big problem, because—what’s the worst that can happen? If you’re lucky, someone benign will scrape from your IP address and use some of your bandwidth. If your IP address becomes associated with a residential proxy network, you may quickly discover that you can no longer access your websites. If you’re really unlucky, you may get a visit from the FBI or your local government agency because someone used your IP address as a stepping stone in a cyber attack. 人们很容易认为这不是什么大问题,因为——最坏的情况会怎样呢?如果幸运的话,只是有人通过您的 IP 地址进行良性抓取并占用您的一些带宽。如果您的 IP 地址与住宅代理网络关联,您可能会很快发现自己无法访问某些网站。如果运气不好,您可能会收到 FBI 或当地政府机构的“拜访”,因为有人将您的 IP 地址用作网络攻击的跳板。
Increasingly, residential proxy networks are used by criminals to give them access to your internal networks. Although some providers claim to restrict access to private IP addresses, their code is usually poorly written. No one claimed these people understood network security. Apparently, a great many Android-based devices are shipping with something called Android Debug Bridge, designed for manufacturer troubleshooting. On your network, it allows your devices to be quickly rooted. There is increasing evidence of residential proxy traffic from enterprise networks. A recent report from Infoblox (providers of protective DNS services) claims that as much as 65% of their customers have traffic traveling to residential proxy networks. 犯罪分子越来越多地利用住宅代理网络来访问您的内部网络。尽管一些提供商声称限制了对私有 IP 地址的访问,但他们的代码通常写得很糟糕。没人声称这些人懂网络安全。显然,许多基于 Android 的设备在出厂时都带有名为“Android 调试桥”(ADB)的功能,该功能本意是为制造商进行故障排除。在您的网络上,它允许您的设备被快速 Root。越来越多的证据表明,企业网络中也存在住宅代理流量。Infoblox(保护性 DNS 服务提供商)最近的一份报告称,其高达 65% 的客户有流量流向住宅代理网络。
It’s not easy to know what to do. At home, consider using virtual networks to separate important devices from everything else. Monitoring of the traffic volumes is a good idea, too. Other than that, there is no certainty, if anyone in your household can install new apps on your TVs. In enterprise environments, you’d ideally not allow unknown devices on your networks, but that’s e… 该怎么做并不容易。在家里,考虑使用虚拟网络将重要设备与其他设备隔离开来。监控流量也是一个好主意。除此之外,如果您的家人可以在电视上安装新应用程序,那就没有绝对的保障。在企业环境中,理想情况下您不应允许未知设备接入网络,但这……