The Invisible Army: Why 78% of Residential Attackers Bypass Modern IP Reputation

Corporate firewalls have long been accustomed to relying upon the reputation of IP addresses; however, nascent analysis indicates that this paradigm is increasingly faltering. Researchers from GreyNoise interrogated four billion network sessions over a ninety-day epoch and concluded that nearly 40% of unique IP addresses interfacing with corporate perimeters originate from mundane residential connections. Furthermore, approximately 78% of these addresses vanish before they can be enshrined within any reputational archives.

The quandary is rooted in the very essence of these identifiers. From the perspective of a filtration system, traffic from a residential segment is indistinguishable from that of a legitimate patron, sharing the same internet service providers and address ranges. Adversaries are co-opting ordinary home internet, mobile networks, and diminutive corporate connections as intermediary nodes. Consequently, malignant telemetry mirrors the authentic requests of employees, clientele, and partners.

Statistical evidence reveals the velocity of this shifting landscape. Residential addresses constitute 39% of unique sources, though they account for roughly 22% of total sessions. Each such IP typically participates in fewer than three sessions before dissipating. In essence, this represents a perpetually metamorphosing pool of sources that emerge fleetingly and fail to accrue a discernible reputation.

The primary mechanism is the rapid rotation of addresses. Nearly 80% of residential IPs manifest in only one or two sessions and are never observed again. Given such dynamism, any system that refreshes threat intelligence with even a slight latency simply cannot react with sufficient celerity. Reputational feeds are rendered impotent not by empirical inaccuracies, but because the underlying model obsolesces faster than it can be rejuvenated.

Researchers identified a sequestered signal within the geography of the traffic. Streams from IP addresses geolocated to India diminish by approximately 34% during nocturnal hours—a pattern that aligns with human circadian rhythms and implicates compromised domestic computers. These apparatuses persist in orchestrating assaults while their proprietors slumber.

This phenomenon is driven not by a singular threat, but by a confluence of factors. The report delineates at least four independent origins: worm propagation, IoT botnets, commercial proxy networks, and VPN-based reconnaissance infrastructure. Between certain groups, no IP overlap was detected, despite the outward uniformity of the traffic.

Even colossal operations to dismantle such infrastructure yield only transient reprieves. Following the loss of roughly 40% of nodes within a specific proxy provider’s network, operators resurrected the lattice within mere weeks. After each such intervention, the narrative repeats: a brief attenuation of activity followed by a swift restoration fueled by nascent devices.

These developments necessitate a transfiguration of defensive requirements. Orienting security solely around the source of traffic has become futile. Researchers counsel a shift toward behavioral analysis: scrutinizing the nature of client requests, the choreography of the connection, and the recurrence of specific patterns. In this environment, the digital device fingerprint emerges as a more resilient instrument. Unlike a fluid IP address, a fingerprint remains constant through rotations, permitting the surveillance of a singular client even across disparate networks.

In summation, these conclusions are predicated upon a dataset of four billion sessions harvested from late November 2025 through February 2026. This was supplemented by a sample of 30,000 sessions classified via IPinfo, encompassing data from 683 international internet service providers. Validation through the Censys infrastructure confirmed that approximately 42% of sources were indeed residential connections. When accounting for compromised subscriber equipment, this proportion ascends to 62%, with the remainder being servers or scanning apparatuses erroneously categorized within the residential segment.