Why a residential IP is not enough cover
The whole point of a residential proxy is that the exit IP — the address the website actually sees — belongs to a real ISP customer. It inherits that customer's clean reputation and a residential ASN (the network block an internet provider owns). Against a system that only asks "is this a datacenter IP?", that works perfectly — which is why scrapers pay more for residential than for datacenter proxies.
But modern detection does not stop at the IP type. It asks a harder question: "does this connection behave like one person on one home connection, or like an exit node serving many sessions at once?" The IP's reputation is genuinely real. The usage pattern around it is not — and that is what gives the proxy away.
The signals that expose a proxy pool
Per-IP velocity and concurrency. A real home connection runs a handful of sessions at a time. A proxy exit relaying traffic for many customers shows hundreds of connections at once — many separate cookie jars, or many distinct browser fingerprints — all from one IP in a short window. That fan-out is the single strongest tell, and rotating IPs cannot fix it, because it is a property of the gateway (the shared entry point all that traffic flows through), not of any one IP.
Pool-level statistics. Anti-bot vendors that see traffic across the whole internet (Cloudflare, Akamai) watch for the signature of a pool: a sudden spike of requests to one sensitive page arriving from a large, varied set of residential ASNs all at once. No natural event produces that pattern; a rotating proxy campaign does. ML models are trained directly on this cross-IP pattern.
Latency and round-trip analysis. Routing through a proxy adds extra network hops and delay. JA4L and similar timing probes measure the round-trip time (RTT — how long a packet takes to go out and come back) and compare it against what the IP's claimed location should produce. An IP that geolocates to Berlin but answers with São Paulo-level delay is clearly being relayed through somewhere else.
Reputation and exit feeds. Commercial services (Spur, IPQS, IP2Proxy) continuously map out proxy-exit IPs by buying access to the pools themselves and recording which IPs serve their traffic. Many exit nodes also leave a proxy port open, which active scanning can detect.
Coherence checks layered on top
Once an IP is suspected of being a proxy exit, vendors cross-check it against the rest of the request — the same way lie detection checks a fingerprint for contradictions. The IP's location should match the browser's timezone, the Accept-Language header (the languages the browser says it prefers), and the locale that JavaScript reports. A residential IP in Japan paired with Europe/London and en-US does not add up — a sign the proxy was bolted onto a browser profile that was generated somewhere else.
This is why buying clean residential IPs is necessary but not sufficient. The whole identity around the IP — timezone, language, fingerprint, and how often requests arrive — has to look like one real person living behind that connection.
How to avoid tripping it
Keep per-IP velocity low. Treat each exit IP like a single human: limit how many sessions run at once, space requests out at a human pace, and use sticky sessions so one identity stays on one IP instead of jumping to a new one mid-task.
Match geo to identity. Make the proxy's location agree with the browser's timezone, language, and locale. Mobile proxies make detection even harder, because carrier-grade NAT (where the carrier puts thousands of real phone users behind one shared IP) means high concurrency from a single IP is normal — so velocity heuristics carry much less weight.
Use clean, well-sourced pools. Cheap pools recycle IPs that already sit in every exit feed. A managed scraping API ties proxy quality, sensible rotation, and fingerprint coherence together, so the proxy and the browser identity match each other by design rather than being hand-assembled and hoping they line up.