Residential proxy + antidetect browser is the modern fraud stack. IP-only controls cannot reliably identify both layers. IP reputation tools like IPQS see "clean residential ISP" because commercial and peer-to-peer residential networks rent real home IPs. Pair that with Kameleo, GoLogin, Multilogin, Dolphin{anty}, or AdsPower and the device fingerprint also looks unique and human. Both signals come back green. The fraud sails through. This guide is how Sentinel sees through both — the network ASN signals AND the antidetect device tampering — in one verdict.

IP reputation alone cannot describe the browser, device, or user behavior behind a connection. Adding client-side consistency and behavioral evidence gives your policy engine more context, but no individual signal proves fraud. Here's how to combine those signals and measure whether they help.

A residential proxy uses an IP address assigned by a consumer ISP — Comcast, BT, Orange, T-Mobile — that's been co-opted as an outbound gateway. Commercial brokers like BrightData and peer-to-peer networks aggregate large, frequently changing pools of these IPs. They're rented by the GB, rotated per request, and indistinguishable from a real home user at the network layer.

This breaks the core assumption of every IP-reputation API released between 2012 and 2022: that the IP is diagnostic of the user. In 2026, it isn't. A residential proxy IP is literally a real Comcast customer's IP address — the same one that might be streaming Netflix from a different tab.

Why IP blocklists are obsolete

Legacy providers (IPQS, Fraudlabs Pro, MaxMind minFraud) detect proxies by maintaining blocklists of known proxy IP ranges. This strategy has two critical failures against residential proxy networks:

  • Legitimate and abusive use can share an address. Automatically blocking an IP can therefore harm real customers.
  • Rotation defeats it anyway. Even if you blocklisted every exit IP of a known residential provider, the provider rotates through millions per hour. Your list is stale before it's loaded.

That is why a blocklist should be one input, not the whole decision. Test network, device, and behavior evidence separately so you know which signals add value.

What still works: the 4 signal families

Detecting residential proxies reliably requires moving up the stack — from the IP itself to the behaviors that the proxy can't hide.

1. ASN and connection classification

ASN type, route history, hosting indicators, geolocation consistency, and rapid address changes can raise or lower risk. Consumer ASNs also carry legitimate users, so use this evidence to prioritize review or combine it with independent signals rather than treating an ASN as a blocklist.

2. Device consistency analysis

Client-side signals can reveal inconsistencies that an IP lookup cannot observe, such as a claimed platform that conflicts with rendering or automation evidence. Some proxy users will look ordinary and some legitimate users will have unusual configurations, so score combinations and validate them against labeled outcomes.

  • Canvas tampering — Kameleo/GoLogin canvas rendering deviates from real hardware in measurable ways (Bezier curve aliasing, subpixel positioning, emoji rendering).
  • WebGL parameter mismatches — claimed GPU doesn't match claimed OS, or renderer strings are spoofed inconsistently.
  • Audio context fingerprinting — tampered browsers leave traces in audio processing that genuine Chrome doesn't.
  • Font metric anomalies — font availability claims that don't match the claimed OS.

Choose tampering thresholds from representative data, publish the factors behind a decision, and monitor precision and recall as browser versions and customer traffic change.

3. TLS / JA3 fingerprint

TLS handshakes can provide another consistency check. A mismatch between the observed handshake family and the claimed client can increase risk, but middleware, enterprise inspection, and software updates can also change fingerprints. Treat it as supporting evidence.

4. Behavioral timing

Repeated timing and navigation patterns across otherwise separate sessions can indicate coordinated automation. Network quality and accessibility tools can produce unusual timing too, so compare sequences over time instead of blocking on one fast or slow request.

Practical detection stack

The practical stack for detecting residential proxies in 2026:

  1. Client-side SDK — collects canvas, WebGL, audio, and TLS-like signals from a real browser context.
  2. Server-side evaluate call — combines client signals with ASN lookup, known-residential-provider matching, and historical visitor ID analysis.
  3. Combined verdict — scored 0–100 for risk, with individual booleans for proxied and dch (datacenter), a tampering_score float, and a persistent visitor_id.

This is exactly what Sentinel's API returns in one call, in under 40ms.

Common residential proxy providers and their patterns

  • BrightData (formerly Luminati) — largest pool, strong ASN concentration in EU/US Tier-2 ISPs. Detectable via ASN + device fingerprint combo.
  • Smartproxy — similar pool composition; exit inventories can overlap heavily with other large brokers.
  • IPRoyal — primarily SOCKS5, shows higher latency jitter. Behavioral timing catches it well.
  • Smaller commercial and peer-to-peer networks — pool ownership and consent models vary, and inventories change quickly. Treat provider labels as time-sensitive intelligence rather than permanent truth.
  • PacketStream / Honeygain — P2P bandwidth-sharing networks. Consumers install the app voluntarily. Different ASN distribution, but detectable via client-side signals when the exit traffic reaches you.

A test you can run today

If you want to validate that your current defenses miss residential proxies:

  1. Sign up for a 24-hour BrightData trial ($5 minimum deposit).
  2. Route a browser through their residential endpoint with a US exit.
  3. Try to complete whatever fraud-sensitive action matters to your platform (signup, checkout, bonus claim).
  4. Check your fraud dashboard. Does the session show any risk signal? If not, you have a problem.

Run this test against your own vendors and labeled traffic. A device layer can add evidence that IP reputation alone cannot observe.

Getting started with Sentinel

Start with the network verdict available from a Sentinel account, then evaluate whether the optional browserTampering signal improves decisions in a shadow-mode test. Check the current pricing page for plan limits and record false positives before enabling an automatic response.