Tracking residential proxies (for fun and profit)
Paweł Srokosz 🗣 | Michał Praszmo 🗣
Responding to the incidents as a Polish national CERT, we very often come across attackers using proxies and/or VPNs to hide their identity. While distinguishing well-known IP sources such as NordVPN or TOR has become pretty straightforward, residential proxies are often overlooked and due to their nature, they are much harder to be recognized properly. This challenge has been especially important lately when a particular threat actor started utilizing several residential proxy providers to hide behind normal Internet users and conduct false flag operations.
In this talk, we’ll describe how we have approached this problem, what we managed to achieve and what we are still struggling with.