How are you tackling the challenge of detecting residential proxies?

I've been grappling with the challenge of detecting residential proxies lately. Dealing with credential stuffing or scraping attacks is one thing when the sources are obvious, like Digital Ocean IPs. But it's a whole different ball game when the traffic seems to be coming from a legitimate home connection, like my grandma's Verizon FiOS.

These residential proxies make traditional IP security measures feel almost useless. Since the traffic blends in with real home users, IP reputation lists don't catch them.

We dove deep into this and found some subtle indicators that might help differentiate real users from bots lurking behind these proxies.

For instance, we've noticed some packet-level clues—examining TCP/IP headers sometimes reveals inconsistent TTL values or abnormal MTU sizes that suggest traffic is routed through another device. Then there's the HTTP header mismatches; proxy software doesn't always perfectly spoof everything, leading to conflicts in `Accept-Language` headers, timezone data, and geolocation.

Additionally, some proxies leave specific ports open on the client device, allowing us to detect them through a quick port scan.

It's clear that relying on a single data point is futile; we need to correlate multiple signals to build a confidence score. So we developed our own scoring engine, which proved way more effective than just using a blocklist. Instead of merely blocking suspicious traffic, we can now decide whether to serve a CAPTCHA, flag an entry for review, or let it pass through.

I'm eager to learn from you all—are you finding success with TLS fingerprinting, or are you mostly using behavioral analysis to tackle these sophisticated threats?