SURF Security & Privacy Conferentie 2026

The Ins and Outs of Residential Proxies
25-6-2026 , Sessiezaal 3 (3B.38)
Taal: Nederlands

Residential proxy networks route traffic through the IP addresses of real households, allowing their customers to appear as ordinary residential users. In this session, you gain practical insight into how these networks are used and what this means for detection and mitigation in your own organization.


Residential proxies are widely used for purposes such as web scraping, ad verification, and geo-restriction circumvention, but also facilitates fraud, credential stuffing, and other forms of abuse. While prior work has studied these networks from the customer side, comparatively little attention has been given to the two other key vantage points: the network operators who unknowingly carry this traffic, and the proxy client software installed on residential devices. In this work, we examine residential proxy networks from both perspectives.

From the outside, we collaborate with SURF to characterize residential proxy traffic as observed on their network. From the inside, we reverse engineer the client applications of several major residential proxy providers (including Honeygain, PacketStream, pawns[.]app, Proxyrack, earnApp, earn[.]fm and more) to uncover their command-and-control architectures, tunneling protocols, and protection mechanisms.

Together, these complementary viewpoints provide a comprehensive understanding of how residential proxy networks operate in practice, and inform potential detection and mitigation strategies for network operators and the security community.

Etienne Khan is a PhD candidate with the Design and Analysis of Communication Systems (DACS) group at the University of Twente, Netherlands.
His research focuses on residential proxies (RESIPs) and their usage on the Internet.