Visible to the public Resident Evil: Understanding Residential IP Proxy as a Dark Service

TitleResident Evil: Understanding Residential IP Proxy as a Dark Service
Publication TypeConference Paper
Year of Publication2019
AuthorsMi, Xianghang, Feng, Xuan, Liao, Xiaojing, Liu, Baojun, Wang, XiaoFeng, Qian, Feng, Li, Zhou, Alrwais, Sumayah, Sun, Limin, Liu, Ying
Conference Name2019 IEEE Symposium on Security and Privacy (SP)
Date PublishedMay 2019
ISBN Number978-1-5386-6660-9
Keywordsanonymity, Companies, compromised hosts, Computer crime, computer network security, dark service, dark web, elusive gray services, Embedded-systems-security, emerging Internet business, engineered RESIP services, Human Behavior, human factors, illicit operations RESIP hosts, Internet, Internet service, invasive software, IP networks, Logic gates, malware hosting, Malware-and-unwanted-software, Network-and-systems-security, proxy hosts, pubcrawl, resident evil, residential IP proxy, residential networks, residential proxy, residential-ip, residential-IP-proxy-as-a-service, residential-proxy, RESIP IP, Security-and-privacy-for-the-Internet-of-Things, server- side, Servers, underground business world, web-proxy

An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

Citation Keymi_resident_2019