The pitch for residential proxies is always the same: your traffic goes out through “real user devices.” Real phones, real laptops, real people at home. That’s the whole selling point — the exit looks like a human because it supposedly is one.
I wanted to check. Not the marketing, not the user-agent string the seller hands you — those are trivially dressed up. I wanted to look at a layer the seller doesn’t really control: the TCP handshake itself. When a machine opens a connection, its kernel stamps the SYN packet with a handful of tuning values — options, window scale, TTL, MSS. Those come from the OS, not from whatever the operator wants you to believe is running.
So I sat on the other end and listened. 319,706 connections through residential proxy exit nodes, SYN parameters captured off each one. Then I went looking for what the stack was quietly saying.
Almost none of them are phones or laptops
Here’s the OS split:
- Linux/Android — 313,300 (98.0%)
- Windows — 5,604 (1.8%)
- BSD/iOS — 719 (0.2%)
- Unknown — 83 (0.03%)
Think about what that mix would have to be. If this pool were actually a crowd of ordinary people’s devices, the mix would look roughly like the consumer market — call it a third Windows, a quarter Android, a quarter iOS, some macOS scattered in. That’s what “real users” looks like from the outside.
But that’s not what this is. It’s 98% Linux, which looks a lot more like a server room with some proxy-SDK Android phones bolted on than an actual neighborhood. The shape gives it away before you’ve looked at a single other field.
When “diverse residential users” all share one kernel default
I broke the SYNs down by full fingerprint to see how varied they really were. The single most common one covers 54.6% of every probe:
OS: Linux/Android
Options: MSS,SACK,TS,NOP,WS
MSS: 1460
Window Scale: 12
TTL: 64
That’s a stock Linux kernel TCP stack. Nothing exotic — the defaults you’d get out of the box. The second most common fingerprint (15.8%) is byte-for-byte the same except Window Scale = 6, which is just an older kernel or a different sysctl knob.
Add those two together and you’re past 70% of the pool sharing one of two near-identical kernel defaults. “Diverse residential users” don’t do that. Real households run a mess of different OSes, versions, and hardware — the variety is the whole point of a residential pool. When more than half of them handshake in lockstep, they aren’t diverse and, frankly, they aren’t users.
The MSS quietly narrates the wiring
The maximum segment size is my favorite field here, because it leaks the physical link sitting under the connection. The kernel sets MSS based on the path’s MTU, and different kinds of links carve off different amounts of overhead. So the number tells you what the exit is actually plugged into:
- 1460 (73%) — plain Ethernet
- 1452 (8.8%) — PPPoE, i.e. DSL
- 1412 (6.9%) — VPN / tunnel overhead
- 1440 (3.1%) — some ISP-specific MTU
The PPPoE slice is the honest part of the picture — 1452 is what real residential DSL looks like, and that’s genuinely someone’s home line.
The 1412 slice is the one that made me lean in. That extra overhead is the signature of a tunnel: the traffic isn’t arriving straight off a home link, it’s coming through something first. That lines up with wholesale gateways re-exporting traffic — one operator taking connections and pushing them back out, borrowing the residential reputation on the way through. The “home” IP is real enough; the hop before it isn’t a home at all.
It all funnels through a handful of networks
Last thing I checked was where these exits actually live, by ASN. If this were a broad grassroots population of consenting people, you’d expect them smeared across thousands of small networks all over the place.
Instead they pile up in a few large ISPs — mostly big US cable providers. The single top ASN by itself accounts for roughly 10% of all probed exits, with tens of thousands of unique IPs under it. A pool that clusters that hard isn’t a wide sweep of volunteers. It’s whichever networks the recruitment malware happened to find most fertile.
The pattern that keeps showing up
Every layer told the same story the one before it did, and it’s the same lesson I keep running into: you can spoof the one field you control — the exit IP — and you leak at every layer you don’t. The seller can hand you a clean residential address and a convincing user-agent all day. But the kernel underneath still stamps the SYN, and that stamp gives away the real OS no matter what the seller claims. That’s a layer the operator doesn’t get to dress up, and when you actually read it, the “real user devices” turn out to be a rack of Linux boxes.