Five years ago, blocking fraud was simple: block AWS IP ranges, block known VPN exit nodes, done. Today that approach catches less than 30% of sophisticated fraud attempts.

The shift happened gradually, then all at once. Underground proxy marketplaces realized that residential IPs were worth far more than datacenter IPs because no blocklist would ever touch them.

How Residential Proxies Are Harvested

Free VPN apps, browser extensions that promise "free unlimited bandwidth," and pirated software installers all contain silent SDKs that enroll the victim's device as a proxy exit node. The victim has no idea. Their IP looks completely clean to any fraud API that checks it.

Why IP Reputation Fails Here

These IPs are genuinely clean. They've never sent spam. They've never been on an abuse list. Sentinel defeats residential proxy evasion by looking past the IP entirely — analyzing the TCP/IP stack fingerprint, MTU packet size anomalies, and cross-network velocity patterns.

The Five Layers of Modern Detection

No single signal catches a residential proxy. Five-layer composite detection is what works in 2026. Each layer alone is bypassable; together they leave nowhere to hide.

  1. ASN reputation — still useful as a coarse filter; catches the 30% using known proxy ASNs (M247, Datacamp, Hostpalace).
  2. TCP fingerprinting — the OS signature in TCP options ordering and window size betrays the actual operating system behind the exit, even when the user-agent claims otherwise.
  3. TLS JA4 fingerprinting — Chrome's real cipher-suite ordering is fixed per-version; a residential proxy reselling a Russian botnet's traffic exposes a TLS fingerprint that doesn't match the claimed Chrome build.
  4. Behavioral velocity — when 47 "different" residential IPs all hit /signup with identical mouse-acceleration curves within 90 seconds, they're one operator using a proxy network.
  5. Hardware entropy collisions — WebGL renderer + audio context + canvas fingerprint cluster hashes that recur across "unrelated" sessions reveal shared infrastructure.

What ShadowNode, Bright Data, and Smartproxy Have in Common

The three biggest residential proxy providers all face the same operational constraint: they can't perfectly hide that the residential exit is forwarding someone else's traffic. Specifically:

  • MTU mismatch — proxied connections show MSS values inconsistent with the claimed network type (fiber vs mobile vs DSL). Real consumer connections have predictable MTU/MSS pairs; proxied ones don't.
  • RTT clustering — round-trip time to a residential ISP in Sweden should be ~30ms from London. When it's 120ms, the request is hopping through an intermediate hop.
  • HTTP/2 priority frames — modern Chrome sends specific HTTP/2 priority hints. Proxy software often strips or rewrites these, leaving a detectable absence.

What This Costs to Implement Yourself

A team building this stack from scratch typically needs: 6 months of senior engineering, an ASN database license (~$30k/year for a current one), a TLS fingerprint library, a maxmind subscription, plus ongoing curation as proxy networks evolve their evasions. Most teams give up after layer two and accept the false-negative rate.

The shortcut: drop in a single SDK that ships all five layers and updates them as new bypasses appear in the wild. That's what Sentinel does — under 40ms per evaluation, no CAPTCHA, no friction added to legitimate users.