proxy & network identity

the network is the other half of a fingerprint: not what the browser presents, but where it exits. four classes, datacenter, isp, residential, mobile, each with a different default trust and a different tell. below: the class taxonomy joined to the proxy band the benchmark scores, the providers that sell each pool, and what gives each class away to the five-vector coherence check (ip/asn, timezone, accept-language, webrtc, dns).

forensic reference · as of 2026-06-16 · class tells confirmed · provider pool sizes and success rates are vendor-published, treat as speculative

the class taxonomy · trust ladder

datacenter

trust: lowest
class: datacenter

ip space on a cloud / hosting asn (aws, gcp, azure, digitalocean, linode, vultr). cheap, fast, effectively unlimited, and the first pool every scraper reaches for.

primary tell: the asn itself: a hosting asn appears on public datacenter blocklists, the rdns resolves to the provider, and there is no carrier behind it. no eyeballs live here, so any traffic reads as automation by default.

typical cost (2026, speculative): ~$0.5 to $2 / gb, or a few dollars per dedicated ip per month

lowest trust by construction. datadome and similar weight a hosting asn heavily in the ip-reputation component of the score (the guide cites a 25 to 30 percent-ish weight, speculative). fine for unauthenticated, low-value targets; flagged on sight by anything with an asn-reputation feed.

isp (static residential)

trust: high
class: isp

a residential ip leased on a known consumer-isp asn (e.g. comcast as7015). residential-trust ip space, but rented as a stable, static exit instead of a rotating pool.

primary tell: the asn reads residential, so it clears the datacenter blocklists; the tell is that the SAME ip sits behind sustained, machine-paced traffic that a real home connection would not generate. stability is the feature and the giveaway.

typical cost (2026, speculative): ~$2 to $15 per ip per month

the best of both: residential trust plus a static ip, so session trust accumulates instead of resetting every request. this is the class net-echo carries as its own `isp` label between datacenter and rotating residential. the trap is volume: a residential ip serving thousands of sessions stops looking residential.

residential (rotating)

trust: high
class: residential

real consumer devices reached through p2p / sdk pools (bandwidth resold from apps that bundled an sdk). every request can exit from a different real home ip.

primary tell: rotation itself: an exit ip that changes mid-session breaks the trust a detector accumulates across requests, and the pool's reputation is only as good as its worst member. one flagged peer taints the address you land on.

typical cost (2026, speculative): ~$3 to $10 / gb

high per-ip trust (these are genuine eyeball addresses) undercut by rotation. mid-session ip changes break the multi-request trust accumulation akamai and perimeterx rely on, so the same property that defeats simple ip blocks defeats the operator's own session. pool reputation varies wildly by provider.

mobile (4g / 5g)

trust: highest
class: mobile

carrier ip space behind cgnat: thousands of real phones share a handful of public addresses, all on a mobile-carrier asn.

primary tell: high address churn from cgnat sharing, but a carrier asn that detectors are loath to block, because blocking it would cut off real subscribers behind the same nat. the shared-nat churn is the cost, the carrier asn is the trust.

typical cost (2026, speculative): ~$5 to $30 / gb

highest trust by default. a carrier asn plus the collateral-damage problem (blocking one cgnat ip blocks every real subscriber on it) makes detectors reluctant to act, so mobile exits ride on borrowed reputation. the churn that protects you also makes the exit geo and timezone harder to keep coherent.

provider roster · who sells the pools

bright data

official ↗

datacenterispresidentialmobile

the broadest roster: all four classes plus a managed unblocking layer that targets the hard vendors (f5 shape among them). the size is the point and the risk, a pool that large is sourced widely, so peer reputation varies and a flagged peer taints the exit you land on.

pool: 72M+ ips (claimed) · speculative · as of 2026-06-16
success: 98.44% success (vendor-published) · speculative · as of 2026-06-16
also a managed api: bright-data

oxylabs

official ↗

datacenterispresidentialmobile

the other full-roster heavyweight, marketed on a very large residential pool and an oxycopilot ai layer over the api. same caveat as any large residential pool: per-ip trust is real, but pool reputation is only as good as the worst peer in it.

pool: 102M+ ips (claimed) · speculative · as of 2026-06-16
also a managed api: oxylabs

decodo (ex-smartproxy)

official ↗

datacenterresidentialmobile

the rebrand of smartproxy, positioned as the affordable mid-tier across datacenter, residential and mobile. no isp/static tier in the headline roster, so session-stability cases lean on the others.

also a managed api: decodo

zyte (smart proxy manager)

official ↗

datacenterresidential

the company behind scrapy. sells proxy access as a smart-proxy-manager that auto-unblocks, so the proxy and the unblocking logic ship together rather than as separate pools.

success: ~93% autoextract success (vendor-published) · speculative · as of 2026-06-16
also a managed api: zyte

scraperapi

official ↗

datacenterresidential

a simpler proxy-plus-js-render api with a free tier: hand it a url, it picks the pool and renders. datacenter and residential only, aimed at volume scraping rather than the hardest gates.

also a managed api: scraperapi

scrapingbee

official ↗

datacenterresidential

a rest-first proxy + render api with a free tier, in the same simple-managed-api bracket as scraperapi. datacenter and residential pools behind a single endpoint.

also a managed api: scrapingbee

adjacent · not yet profiled

iproyal [residential · mobile] residential + mobile, named in the guide as an adjacent vendor. verify before profiling.
nodemaven [residential · mobile] residential + mobile, adjacent. verify before profiling.
soax [residential · mobile] residential + mobile, adjacent. verify before profiling.

free / diy pools (swiftshadow, aws-api-gateway rotation) are tooling, not providers, and carry poor ip reputation that fails reputation gates. they are not in this roster on purpose.

the tells · class against the five-vector coherence check

a detector does not read the exit ip alone, it cross-checks five vectors and flags the one that disagrees with the rest. the proxy moves the http path; keeping every other vector coherent with the new exit is the hard part.

ip / asn

reads: the exit ip's owning asn and its reputation class (hosting vs consumer-isp vs carrier), plus rdns.

tell: a hosting asn on a request claiming to be a home user; an asn on a public datacenter blocklist.

timezone

reads: the browser's intl / date timezone offset against the geoip of the exit ip.

tell: an exit ip geolocating to one country while the browser reports a timezone from another. rotation makes this drift mid-session.

accept-language

reads: the accept-language header and navigator.languages against the exit geo.

tell: en-us on an exit that geolocates to a non-english region, or a locale that never matches the claimed country.

webrtc

reads: the ice candidates webrtc surfaces, which can reveal the true local / public ip behind a proxy.

tell: a webrtc-leaked ip that does not match the http exit ip: the proxy moved the http path but not the rtc path.

dns

reads: where dns resolution physically happens and the resolver's geo, versus the claimed exit geo.

tell: dns resolving from a different region than the exit ip (a dns leak), exposing the real upstream behind the proxy.

datacenter · across the five vectors

ip / asn: fails immediately: hosting asn, datacenter rdns, on public blocklists.
timezone: geoip is precise (the dc location), so a mismatched browser tz is glaring.
webrtc: rtc ip often leaks the real host unless explicitly suppressed.
dns: resolver geo usually matches the dc, reinforcing the hosting verdict.

isp (static residential) · across the five vectors

ip / asn: passes the asn check (reads residential); volume on a static ip is the tell instead.
timezone: stable geo makes tz easy to keep coherent, the upside of staying put.
accept-language: coherent as long as the locale is pinned to the static exit's region.

residential (rotating) · across the five vectors

ip / asn: passes per-ip, but rotation churns the asn and pool reputation varies.
timezone: rotation drifts the exit geo mid-session, so a fixed browser tz desyncs.
accept-language: a fixed locale across a rotating multi-country pool reads as inconsistent.
webrtc: consumer rtc candidates can still expose the true device behind the pool peer.

mobile (4g / 5g) · across the five vectors

ip / asn: highest trust: carrier asn detectors avoid blocking due to cgnat collateral.
timezone: cgnat churn makes a stable exit geo hard, so tz coherence takes work.
dns: carrier resolvers usually align with the exit, a coherence advantage.

your exit · live verdict

the live "your exit" overlay (classify your own ip's asn against this taxonomy via classifyAsn()) is not wired into this console yet. the verdict it would pin here, datacenter / isp / residential / mobile / unknown, already runs on the network details tool, which fetches the server's net-echo of your request.

→ run the live self-probe on /tools/network

go deeper

→ network details the combined transport view this drills down from, with a live self-probe of your own connection's exit.
→ bot economy the $/gb these proxy classes cost, folded into the per-1k-accounts cost of attack.