Pirate viewers have an endless array of tools for accessing geo-restricted content, including their latest trick: the hijacked residential IP address.
Residential IP addresses are an effective way for users to circumvent VPN blocking controls to access territorially restricted content for free or at a lower price. For example, people in the U.S. who want to subscribe to the NBA’s League Pass pay $199.99 each year, while in India, it costs 1,500 rupees, or a mere $19.
What is a residential IP address, and how is it hijacked?
If you Google “residential IP meaning,” you’ll find variations of this definition: The internet protocol (IP) address assigned to a home or business when a person signs up for internet service. A residential IP is generally considered more trustworthy than a data center IP and is therefore highly desirable.
A residential IP address is compromised – hijacked – during a cyber-attack or is harvested when users sign up for a free VPN or DNS proxy service without reading the terms and conditions. Failure to read the T&Cs allows the free VPN provider to sublease and sell the IP address to an unknown person or entity.
Through its industry monitoring, GeoComply has identified 17 companies selling residential proxy IPs. In total, we estimate more than 200 million users of free VPN services have unknowingly had their home IP addresses compromised.
The high cost of hijacked residential IPs
Pirate viewers can use a residential IP address through a proxy or VPN to view high-value content like live sports or new releases or view content restricted in their country. According to GWI, nearly one-third of internet users use a VPN or proxy, and over half of these do so to watch better entertainment content – that’s approximately 750 million people!
By hiding behind a legitimate domestic IP address, viewers can bypass VPN restrictions because streaming providers can’t take the risk of blocking genuine users. Yet the failure to stop this form of geo-piracy puts streaming services at risk for:
- Violation of rights holders’ agreements for content exclusivity.
- Lost service revenues if the content is easily available from alternate countries with lower licensing costs.
- Service abuse, such as the sharing or sale of credentials.
- Non-compliance with local laws and regulations, such as if the content is banned in a specific country.
- Increased content delivery costs by streaming content to unauthorized viewers.
How VPN vendors compromise residential IP addresses
Pirate viewers who lurk behind residential IPs have a partner in mischief: the premium VPN vendors who provide those IPs. These vendors are just as eager to evade detection as the pirate viewers and are constantly finding new ways to do so.
In a new white paper, “Residential IPs: A Rising Threat to Content Exclusivity,” content security consultancy Kingsmead Security analyzed how widespread the residential IP problem is. The dataset included:
- 59 VPN vendors.
- Two leading UK OTT services.¹
- 896,382 visits were recorded from 171,788 unique IP addresses.
¹ The dataset also covered 2 US OTT services, but these were not analyzed during the study.
Approximately half of the VPN vendors tested used residential IP addresses. The analysis also found that 84 percent of the unique IP addresses targeted at two OTT services were residential IPs.
One way in which VPN vendors attempt to thwart detection is by targeting “high-value” OTT services with service-specific proxy servers. This means only the targeted OTT service can determine the IP address of the proxy server. All other OTT services – and VPN detection vendors – can only detect IP traffic from the VPN server.
Re-routing specific OTT services through proxy servers is a widespread practice. A simple web search for “best VPN for streaming” gives insight into which vendors might be targeting a specific service.
By checking for DNS manipulation, Kingsmead could easily identify if a VPN vendor was targeting specific OTT streaming services, as the following table illustrates:
Four ways to combat the residential IP threat
The use of residential IP addresses to bypass VPN detection may seem like a can’t-win situation. Detecting their use is difficult since they may be indistinguishable from genuine user traffic. And any attempts to block residential IPs run the risk of excluding legitimate users, who may not even realize they’re hosting a proxy.
So, what can you do if you suspect residential IP addresses are being used to access your streaming service? The answer: quite a lot. No method of location masking – even hiding behind residential IP addresses – is 100 percent foolproof.
Here are four recommended strategies:
Make it difficult for a VPN vendor to target your streaming service with residential proxies through geolocation checks. Kingsmead notes that OTT service providers should perform two checks:
- Confirm the user is located within the service territory.
- Detect any use of VPNs to mask their location.
Kingsmead further recommends all geolocation checks should:
- Occur server-side – never use client logic.
- Be present on all essential service endpoints in your service.
- Exist on your content delivery network (CDN), with checks performed throughout streaming.
Gather information useful for detecting VPN activity, such as regularly reviewing the VPN market for vendors claiming to avoid detection by using your service. Internet searches for “Top VPNs for Streaming” or “Best VPN for Your Service” will give insight into those vendors targeting you.
Increase the blocking rates on your service with a reputable VPN and proxy detection solution that can do a residential IP check and also flag other types of IP manipulation, including:
- Tor exit nodes
- Proxy over VPN
- Peer-to-peer networks
- Smart DNS Proxies
If you do block a connection, take care to minimize the impact on legitimate viewers. For example, provide the users with clear messaging and a way to report issues – mistakes do happen.
Help consumers to understand the digital risks associated with hijacked residential IPs. Most consumers will not even be aware of unwanted VPN or proxy traffic routed through their home IP address. This traffic may include potentially illegal activities, like cybercrime, hacking, and, sadly, the circulation or consumption of child sexual abuse materials (CSAM).
Security guru Brian Krebs notes that while “renting” residential IP addresses has some legitimate business purposes, they’re “massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.”
In fact, there are companies whose residential proxy services are highly popular with the criminal underground. One of these, 911, permanently shut down after a cyberattack, leaving malicious actors scrambling for “a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses,” according to Krebs.
Consumer awareness is key to preventing residential IP abuse
Kingsmead notes that “leveraging residential homes is now widespread amongst VPN vendors, and hundreds of thousands of homes are now being actively used to route VPN traffic. This is an increasing threat to OTT services, who must be aware of the issue and take appropriate action.”
We can – and should – apply the best technical strategies to thwarting geo-piracy threats like a residential VPN or proxy. The first three recommendations – defend, understand, and respond – are a good start.
But the fourth one, education, is especially crucial.
Consumers should be made aware not only of the risks of hijacked residential IPs but also of both premium and free VPNs. (The free VPNs form the pool of available residential IP addresses.) Some risks include fraud, doxxing, cyberattacks, and even online child sexual exploitation through video games and other means.
Understanding the digital dangers of “free” VPNs may deter customers from their use. And one less customer who uses a “free” VPN is one less residential IP address for sale. That’s a big win for us all.
Ready to protect your content from the
residential IP threat?