Slaying Hidden Threats in Residential and Mobile IP Proxies

Besides the annoying popups that make you click on them. Okay. Two, three, four. Okay. Five, six, seven, eight. Okay. Who here uses Cloudflare for work? Couple people. Okay. Who here uses Cloudflare for personal stuff? Another couple people. Cool. Awesome. It's awesome working for a company or at least talking to people that know my company, know what we do. Um, I'm ready to start whenever you guys are. >> Yep. >> Just gave us >> I got a whole bag of these glasses for people that answer questions or have questions. So, we're going to make this fun and interactive. I know it's late in the day. There's not many people here. I think everybody will get one of these

eventually on the way out maybe. But, uh, but first come, first serves to people that interact.

What's that? >> I cannot. >> They're about anonymity for, you know, they're about to hide from, you know, but they also block my site. I can see them this way. Um, >> yeah. Oh, by the QR code, my LinkedIn. I'll share any of the slides with you. I'll collaborate with you. I'll send you the video if you want. Can't find it elsewhere. So, grab the QR code and uh I'll put it at the end also in case you're not that interested now, but you might be interested at the end. So, um yeah, my name is Christopher, but I go by Christo because there's so many Chrises in the world and I wanted to stand out. So, I did this. Buddy of mine

in college started calling me that. And I built my career doing being Christo when I moved to New York City. I'm from California and I moved to New York City out of out of college in uh first upper west side, then Manhattan, Alita, and then Park Slope and then Williamsburg, Greenpoint. 20 years I spent in New York City and it's been six years since I went to Northern California. That's where my mom lives. I'm kind of helping her out, letting the kids have grandma experience. So, I can't wait to move back to New York City. I'm so happy to be here. >> All right, Chris. >> Yes. Cool. So, as I was saying, well, first off, let's

just start off kick it off with uh the uh should I go back? Can I go back here in the slides? Let's go. I can't go forward or backward. So, I'm missing something. That's forward. Okay, let's go backward. Okay. I started this presentation at Bside San Francisco in April. I I uh hadn't done one of these my own research kind of presentations before. I oh I I I um I work at Cloudflare. They have these awesome blog posts all the time, all these new new topics. And I grabbed one of the blog posts, ran it through chat GPT, fed some abstracts of bides presentations from the past and said, "Give me an abstract so that I can

present at BIDES uh coming and I did it all the last minute in December and I got accepted to speak in San Francisco on this topic." And then I read this fine print and realized, oh wow, I got to actually um I can't talk about Cloudflare too much. I need to focus on the technology and not what we're selling. So I had to go back and do the research. So that's how this kind of talk came about. And the topic or the theme at Bside San Francisco was there be dragons, you know, kind of Game of Thrones style. So I created this with a dragon theme and then I a buddy of mine said, "Oh, why don't you submit to some

more conferences?" So I submitted it to Houston Hugh Seccon, Houston Security Conference. I did that last month and their theme was uh space cowboys. So, you know, I layered that in. So, you guys I didn't really see a theme here. So, we're getting dragons versus space cowboy. Space cowboys are good guys. Even though they have a black hat, we're the good guys here. Okay. All right. So, that's the theme. That's how we're doing this. Um again, my name is Christopher. I go by Christo. And uh New York City is my safe happy Mecca spot, you know, and I'd love to be here. walked all around the city last night. Frankly, stayed out till 4:00 a.m. last night, but um you know, I only

got a couple hours sleep because I thought I'd be presenting earlier today. Um so, uh so now here I am after some coffee and uh yeah, I'm glad to be here. So, let's get going. Um who knows about this topic? One, two, three. who uses mobile or residential IPs or have used uh not not like uh to to do grey hat stuff. Yeah. Yeah. Not Yeah. Gray hat black hatish. Okay. Um it's super interesting topic to me. So we all use VPNs to hide ourselves, right? You know, or for work for to hide ourselves from or or both. Well, this is the method of hiding but not getting detected. So being able to get away with

botn nets and gray hat and black hat stuff and even some white hats do use this too. There's reasons to do it too. But uh this talk is about these residential and mobile IPs and and um they're called proxies because basically you can borrow other people's IPs and proxy your traffic through them just like a VPN and get away with things. Okay. So what this talk is not about oh by the way first part of this talk is going to be from kind of a gray black hat point of view and the second half is going to second or last quarter is going to be about how to detect and and block and what to do about it. But what this

not going to be about is I'm going to talk about Cloudflare but I'm also going to talk about other ways to do it too. Um but I'm not going to make any hardcore endorsements and and there are no silver bullets in this game. That's the interesting thing about about how to catch this. So if you don't take anything else from this talk, this is the slide. So IP address, you know, I'm going to be calling it IPs in the future, but they're really IP address anonymity. So you know, hiding who you what you, you know, where you're coming from. You know, we all know we need IP addresses, but you're hiding where you're coming from and um and uh um how to make those

IP address look authentic and and not and not look like you're doing something sketchy because when you're a VPN, you look sketchy. you know, you look sketchy to to the uh to the publisher, to Nike when you're trying to buy the latest uh sneaker bot there, or to insta Instagram as you're trying to uh [ __ ] with their algorithms and and pump up your own traffic. So, these those two things plus, you know, sketchy act sketchy could be, you know, taken different ways, but you know, plus activity equals money. So, you know, Google Slides gave me a great uh jackpot uh slide with AAA coming up on the jackpot, you know, for that. So, quick quick story. This is me

going to Ohaka with my two kids recently and on the way to Haka Mexico. Highly recommend it. I happy to talk about the Pascal and and the food down there anytime you you hit me up later. But um on the on the plane got to entertain the kids somehow. They can't be on their phones all the time, you know, and and they can only play so many card games. So we got the Waldo book. Uh we've all had this in our as childs, right? So who can find Waldo up here? Pair of glasses. Anybody? Anybody? No. Okay. Okay. How about one of the 10 different dragons that are there hiding? Anybody? Anybody? Dragons. Oh, okay. Can

you catch catch? There you go. Oh, there you go. You got one, too. Okay. Well, here's Waldo for those that couldn't find him. Okay. Okay. That No, that's not fair. He's hiding his just his head. Come on. But that's how these advanced books get, right? Well, there's all the dragons. They're all hiding in plain sight. You didn't see them there, but they were there. That's the concept here. They're they're how to hide in plain sight. So, who uses these things? You know, I mentioned earlier black, gray, white hats. So, the answer is D, all the above. I had this great slide earlier that had purple hats and red hats and all these other like, you know,

blue hats that of all these different types of hackers. So, everybody can use these and and they do. Um, so why use them? You know, I hit this before, I'm hitting it again because it's so important. Okay, so you get that idea. Now, this is the real this is the real kind of where it gets really interesting, I think. Um, all these different use cases. So, we talked about sneaker bots, you know, like I had somebody come up to me after Bside San Francisco and say, "Hey, look, I got into this Discord group of web scraping and then they invited me back into the private space and that's where the real [ __ ] goes down because they run

campaigns there where someone will from maybe, I don't know, Saudi Arabia will come and say, "Hey, I want this new Louis Vuitton Supreme crossover, you know, thing, um, purse or whatever, and uh, I'm willing to pay $10,000 for it. It's going to cost $1,000, but I don't know how to get it in that in that flash sale." So then those 20 people will all decide who's going to go after it and they're going to spend their own resources. They're going to rent these IP addresses. They're going to use anti-detect browsers and they're going to fire up a botnet and go after that sneaker on Nike or this Louis uh Louis Louis Vuitton crossover Supreme crossover and go after it. And if they

get it, they'll ship it to the destination and they'll make their money that way. So that's one way of doing it. You know, call it sneaker bots. But you can also do all the AI tools out there are doing this now. Uh I don't mind saying perplexity is the one that's being really mean or um um uh lying about what they're doing right now with uh the other uh at Cloudflare we detect bots. We can detect all the AI scrapers. It's a big thing we're doing right now to help the industry, the advertising industry to get we're trying to make a marketplace for people that pay for bot traffic uh for AI scrapers that pay, you

know, to get them to pay for their their traffic. But perplexity is sneaking around that and using this kind of approach with these mobile IPs to get around um detection and going from different AS number ASN's. Um but I I found the social media one really interesting. I learned a lot about this in my research from this guy doing Only Fans, spinning up his Only Fans account. He knew all about this stuff and he had no idea about technology. So he was teaching me how to how these people use these in order to create an only fans account and then to use a bunch of different accounts at the exact same time from the same laptop and come in

there and pump it all up and and get the algorithms really going. That's how So I was going to say this earlier. I I forgot to mention this. I think that this talk, even though there's not a ton of people here, I think this talk affects everybody at this whole conference more than most of the other talks here because we're all on the social media and we're all getting affected by these algorithms. Maybe we're not all shopping for sneakers, but this this affects us. You know, this the way that these things are being used. Um, but on the good side, ad verification. Maybe you want to check to make sure that an ad is getting served

in the right geo the right way. Um, that kind of a thing. So, there's a lot of different use cases for this. And I also want to make a very clear point that, you know, like our guy in the blue hat back there, that's the the gray hat. Um, he uh he's not doing anything illegal. Gray hating is not illegal. So, you can't get caught or busted for this kind of stuff. It happens. Um, so, so what are these and how do they work? So, quick key concepts. I think we all know what an IP address is. It's like a phone number or an address at your house. You got to have, hey, I get micro do

mushrooms sent to me from a church in Oakland. But, um, I have to put my real address on it. Even if I use a fake name, it's got to come to my house, right? So, you need you need an IP address. You have to have an IP address to get traffic back, you know, and to interact with the website. So, um, that's that's and that's the one thing that you can't spoof, right? I've been doing this webdev stuff for a long time and user agents are a joke. Anybody can spoof a user agent or any header, but IP addresses you can't fake, but that's why this whole industry has evolved around these mobile IPs. Um, and then we have

network address translation. And then the real interesting one is carrier grade CGNET. That means where how mobile um carriers like T-Mobile uh ha has has even more IP addresses they have to handle with all the devices out there and only so many IPv8 um uh addresses that they have to change the IP address when you go from tower to tower to tower. So um yeah, so we'll talk about that in a minute, but that's where it gets super interesting. And then you got this anti-detect browsers that get in the mix that help and then anti-bot vendors like Cloudflare and and our competitors in that space. So how it works is user has you know user IP

address. This is this is basic basic flow um you know goes to a proxy server like using a VP uh VPN and this is like kind of the clean good good guy white hat flow but when you get a gray hat or black hat on that proxy server can turn into a Trojan horse you know to hide to hide who you are and you become invisible. So all of a sudden you know your IP address is private and no one can the public uh the website can't see you any longer. Um, so now we're getting into how does how does this really work under the hood? All of us have tons of bandwidth at home that we don't

use. You can resell that on the market to these metalmen and you can resell your IP addresses. You have NAT at home. You have I forget how many addresses it is. Someone in here knows. But you have tons of private IP addresses that you could sell to someone else you rent out. So there is a whole market for you to do that from your house. Um, somebody could attack you. I have part of the story later on that I I took think I took the slide out, but a architecture firm got hacked and this researcher from Akami, the company I used to work for, um um found this out. This guy hacked this architectural firm and was using their

IP address space to rent out to these providers and making passive income on it. And he closed his back door and nobody even knew about it. The the the company that was paying the I the ISP bill didn't even know this was happening, you know. So, so you could do it from a residential point of view and you know like you should see here you could scalp you could you know aim to scalp ticket you know hit ticket master Nike Instagram the like right well it gets real interesting with from a mobile point of view like I was saying earlier because um these IP addresses are more authentic back to that authenticity word um the residential IPs don't change that

often uh the mobile IPs change all the time and that creates this opportunity for them to be way more authentic so if if if uh if you start using one IP address to do some sneaker body and I don't really want to use that same IP address to go back to Nike at the exact same time. Um but uh if the IP address changes uh then you then I can um um uh you know use that same uh service very quickly. And so this whole market has evolved uh of of all these companies. Now, a lot of these companies are legit actually because they actually uh talk about well, I mean, some of them have

been out there for seven or eight years and and are making hundreds of millions of dollars, but they're not um but they they talk about um ethically getting the hold of these IP addresses, meaning people volunteeringly giving them up. Um there's not a lot of unethical ways too like like uh Chrome extension might might take over your IP address and start using that. you know, someone's using some, I don't know, Google sheet, you know, uh, tool or something like that. Um, so there's ethical and unethical ways to do it, and it's really kind of weird about, you know, which ones, uh, where they're getting all their IPs, but, um, there's a lot of reviews around them about, you

know, what's what's good and what's bad. And there's there's also rotating IPs if you want to pay for those or if you want to pay for ones that are static. I mean it depends on your use case and what that that um publisher uh u expects from the IP addresses to get uh to to to lead you as to which ones you would use. And here I just wanted to call out that like as you can see the mobile ones are the most valuable. So you can see they're the most expensive to rent out. Um uh the residential IPs not so much. I mean there's even data center IPs if if you want to use those. I mean if for for

certain use cases and they're super cheap but you know they don't change that often. So they're not they're good for certain use cases but not all. Um and you could pay for site unblocker tools on the side at the same time. So this has created this rise of of mobile IP proxy farms. Um maybe you guys saw this article in Wired recently. I think it was about a couple weeks ago that I see some nods in the room. Um anyone believe that article like let everyone know what it is is they found one of these farms some warehouse outside of New York City. I don't know if where was it? Jersey or somewhere? I don't know.

But it had what was it? >> New York City. >> It was in New York City. Do you know what burrow? You know, >> it was near the UN. And they said what? What? And there were like a hundred thousand of these, right? Different SIM cards, right? And some really fat bandwidth pipe bandwidth there. Well, the wire article said that oh wow, you know, they could they could dodo the UN, you know, and like knock out cell phone service as they got attacked by, you know, I don't know, protesters or something like that. I call [ __ ] on that. You know that all that was was a sneaker bot farm. You know, there it's a business. They're

just selling the IP addresses. It just happened to be here because there's a lot of people here and they could get away with it and have a lot of fast bandwidth. But um look at this one here. This is a school bus. They drive them around in the school bus to make them authentic all the time. They put these these so all all these are SIM cards connected to fast bandwidth or a cell phone provider. So you you know and and you know that the old school way of doing it is actually having them all hooked up to phone Android phones or something like that. But the new way of doing it is like the top middle one is a

kit you could buy and run it yourself. I mean I've been thinking about doing this for my own passive income, you know. Um but uh uh so anyway uh this is this is kind of the how this stuff works under the hood here. Um and so this is the proxy jacking one. That's what they call it when uh when you attack someone and take their IP address and they don't even know about it and start using them. Um, so I mentioned the anti-detect browsers. Here's a handful of them, you know, and how much they kind of they cost per month, but these ones will really focus on um hiding your fingerprint. So, I'm going to talk a

minute and about the different type of tech uh detection techniques, but these guys specialize in constantly staying above the the cat-and- mouse game and evolving, and so you don't have to worry about doing it yourself. So, bringing it all together from a from a um attacking point of view, I guess I'd call it, even though there's white hats in here, too. I kind of put some bullet points in there to just kind of mention again what how this works. But the diagram over there from our our Cloudflare blog is basically an attacker uses these tools, fires up a botnet, and does stuff that, you know, typically gray black hat stuff, but can also do white hat stuff at the same time. But

that's kind of kind of the uh the lay of the land there. Okay, so now on to the defenses. How are you going to stop them? Well, it's going to be really hard doing it yourself. That is an approach. And uh you could look at I know I chart here, but uh Germany at top left is the IP address. You can match that up to the uh um language headers. That's the way to do it. This one is English. It doesn't accept German language, but it's coming from German, so maybe you stop it based on that. Another cool trick I learned was this web RTC. The second arrow down there, you the browser could challenge,

sorry, the uh the server could challenge the browser for WebRTC connection and check that IP address to see if it matches the requesting IP address. It's another way to kind of see if that matches. So, there's these kind of weird kind of techniques that you could try from a DIY point of view. And yeah, you'll get, you know, you'll do something, but the next level up is if you're willing to pay for it, you know, these services aren't that expensive. um you know a couple I don't know 50 bucks a month or something like that. This is one of them. I forget what this is called. Proxy detect.live but uh but they're basically using best practices

to do the same kind of thing and give you a rating on whether or not this is me testing from my VPN. So that's why the VPN score is through the roof. But um theoretic I haven't I didn't quite frankly I didn't get enough time to actually try doing these things. But that was my next kind of step is is seeing if I could trick these tools using using these mobile IPs. So, so the first approach DIY, second level of approach is using tools. Third level approach would be using the pros and you know costs a little bit of money you know but but if if if your data is important to you and and and uh and uh

there's money behind it then then it makes sense. So this is back in 2024 Q what is this Q3 this is the last kind of bot management um um forester wave report. So, as you see, top right is theoretically the better. Cloudflare, you know, my company obviously we have this massive market presence. Quite frankly, we should have been way up there higher. You know, I'm sure everyone else thinks they should be also, but but uh data dome and human, they're great, but they really um human does a lot of manual detection. See, Cloudflare does so much more than just bots. So, that's why it's very very um and so much easy user friendly and and

and more cost- effective. But we really focused more on AI around bots and and this report wasn't ready for that. So I don't know, we got kind of dinged for that. But anyway, point is these are the pros to to think about if you're into that. And um you know how Cloudflare does this. This is the actual the article that I that I started all this from um uh to to to to uh to kind of that was my jumping off point for this research. But our approach in brief is um at the top level there we look at the heristics. So by that we mean um whether we see the IP address in similar I don't

know um coming from similar requests from similar geos from similar types of users from similar ISP ranges um and and the headers and and and and uh the paths and what the different websites and those IP addresses we use a lot of machine learning at that level. The second level down we're looking at behavioral patterns. Um and then the third layer down is what a lot of you guys raise your hand you know about Cloudflare but you don't use Cloudflare is what we call turn style. That's this thing here. I'm sure you guys have seen it a ton. Um, it's free to use. You can uh for uh if you wanted to pay for us to

use it, you could put your own branding on it. But um usually it's like this or it's only a check. We effing hate captions. We put out this post talking about how many years, millions of years we've all spent work, you know, solving capt, you know, finding the crosswalks and the sushi and the motorcycles and [ __ ] you don't even know if it's a real does the tire count or not? Does does you know does the pedal count on the bicycle or not? Um, so we say no captures, it's just this kind of thing. This does a lot of tests in the browser. And so if you are doing a checkout flow or a sign-in flow, we recommend using

this kind of a thing. Um, and uh, it's you don't even have to be using Cloudflare to deliver your content. You can take the JavaScript, here's how it works. You can take the JavaScript code. I mean, we it's a click of a button if you're using Cloudflare to deliver your traffic, but if you're not, you can just uh still log into Cloudflare, create an account, um grab the JavaScript, put it on your page, and then we will when the page loads, run off through an iframe to our side, come back with the token, and then that token has to be available to go to do the login or the checkout kind of a thing, right? So that's all happens

on our platform and then as an admin you can log into Cloudflare and see uh the results and and um you know look at the the uh success rates and and understand it better and and be more aggressive if you want to. So last slide uh key takeaways um these things are super sneaky. They are if there's money to be had they're going to keep evolving and winning the cat and mouse race. um they are not you doing this stuff is typically not illegal. I mean quite frankly even you know doing black hat stuff isn't illegal if you don't get caught and uh even a lot of black hat stuff wouldn't necessarily be illegal. Um so you're not going to get busted if

someone else is using your IP addresses. No one's Nike is not going to call you up if you rented out your your mobile phone IP addresses when you're not using it and in your bandwidth and come after you. It just doesn't work that way. So So this is definitely a solid industry. people are doing this all the time. Um, and uh, it's always going to be a game of cat- mouse. Uh, and uh, so it's if if your data is important and your user traffic is important to you and uh, then it kind of makes sense to pony up the money to uh, to pay for uh, one of one of the leading providers to to help you

with that. Um, and my wife has only one tattoo she got recently and uh, it's on her arm and it says uh, progress on the top with a line and then uh, perfection below. So, you know, progress over perfection, I think, is the uh is the name of the game in in this uh in this in this pursuit. All right, got a couple minutes for questions. About one minute or so. All right, let's go. >> Louder. >> Sorry.

How would you suggest someone like scalable detection? based off. >> So from the point of view of a protector, how do you re how do I recommend somebody uh >> applies

But that could actually >> uh so you're saying like um uh so say a bad person is coming from uh looks like a residential IP address. What do you do about that? >> Yeah, exactly. >> Well, I would recommend trying to use Turnstyle to stop automated traffic if they're if they're Yeah, >> sorry.

I couldn't hear that.

>> You mean the jackpot one? >> Yeah.

>> Right. That's like the scenar'll'll

a hacked but it's hard to make those distinction.

>> Yeah. Yeah. It's it's very hard. Yeah. I mean it's tricky. Uh I think what you're saying is like if if someone took over my Gmail account and and it looked like I was coming from um I don't know Brooklyn and um and and and what do you do about is there anything you can do about that? Well, I don't you know, I don't know all the details of the story or the scenario, but um you know what I'm saying is like uh it's it's good to to stop automated traffic with this kind of an approach, but if they're human traffic or bot or human farm doing the traffic, it's a lot harder to solve

because they can solve the capture just as easily, you know, not capture, but the turn style just as easy as anyone else. It's a tricky hard problem to solve. Yeah. I mean, I think it's maybe forensics, just digging into the logs and behavioral analysis to what they're doing. Yeah. Yeah. Quick last question. Do we have time? Just one more >> quick one. Go ahead.

>> So I heard I heard hardware based >> hardware mobile

of

Check the webc.

>> Yeah, that's that's I don't have a solution for that, frankly. It's a tricky. It's tough, man. It's uh Yeah, cat and mouse, man. That cat's winning in that case. Hit me up offline or outside here and let's talk about some more. >> Sure. All right, come on out and get some uh glasses, guys. I'll put them over here.