Residential proxy networks sell you the promise of clean, ISP-assigned IPs — but how those IPs actually get into the pool determines everything about quality, legality, and detection risk. In 2026, three sourcing models dominate: opt-in SDK embedding, peer-to-peer network recruitment, and outright botnet harvesting. Knowing which model sits behind a provider’s “residential” label is more useful than any benchmark.
SDK Embedding: The Legitimate End of the Spectrum
SDK-based sourcing is what most tier-1 residential proxy providers (Bright Data, Oxylabs, IPRoyal) use. A developer integrates a lightweight SDK into a free app or VPN, and end users consent (buried in ToS) to route third-party traffic through their device when idle and charging.
The economics are straightforward: the SDK developer gets revenue share, the app user gets a free premium tier, and the proxy provider gets a pool of genuinely residential IPs with real ISP assignments. Bright Data’s network runs roughly 72 million IPs built almost entirely on this model.
From a detection standpoint, SDK-sourced IPs are the hardest to block. The IP belongs to a real household, appears in genuine ISP WHOIS records, and has organic browsing history behind it. The ASN reputation is clean — which matters a lot when a target site cross-references against known proxy ASN ranges, a technique covered in depth in Datacenter Proxy ASN Reputation: How Sites Pre-Block IP Ranges (2026).
The tradeoff: SDK networks have high churn. A user uninstalls the app, that IP exits the pool immediately. This makes sticky sessions harder to guarantee, and providers have to maintain complex affinity layers to compensate — see Sticky Session Internals: How Providers Maintain Session Affinity (2026) for how that infrastructure actually works.
P2P Recruitment: Gray Zone but Common
P2P-sourced networks recruit exit nodes through browser extensions, peer VPN clients, and “earn while idle” desktop apps. The line between this and SDK embedding is thin, but the key difference is consent clarity. Many P2P providers use deliberately opaque onboarding flows where users don’t meaningfully understand they’re becoming proxy nodes.
This sourcing model powers mid-tier providers and most “cheap residential” plans you’ll find on reseller panels. IP quality varies wildly because P2P nodes include:
- Corporate office connections (high risk: get flagged fast)
- University dorm networks (medium risk: high NAT, shared ranges)
- Home broadband in tier-2 markets with loose ISP controls
- Mobile data users in regions with carrier-grade NAT
P2P networks typically have pool sizes of 5-30 million IPs but effective concurrency is lower than advertised. Many nodes are offline, rate-limited by the host ISP, or on the same /24 subnet as known bad actors.
For geo-coverage questions — particularly in emerging markets where P2P recruitment is aggressive — the pool composition matters. A South African residential IP sourced via P2P may share an ASN with botnet-flagged ranges, which is why checking provider reputation per-country is worth doing before committing to a plan. The Best South Africa Proxy Providers 2026: SA Residential Mobile IPs breakdown shows exactly this kind of ASN-level variance across providers operating in that market.
Botnets: The Dirty Pool You’re Probably Using Without Knowing
Some “residential” proxies route traffic through compromised consumer devices — malware-infected Windows machines, routers with unpatched firmware, and IoT devices running default credentials. The proxy provider either runs the botnet directly or buys bandwidth wholesale from underground operators.
You can detect botnet-sourced pools with a few signals:
- Pricing below $2/GB for “residential” traffic (legitimate SDK networks cost $4-15/GB)
- Pool sizes that don’t match the provider’s company size or disclosed partnerships
- IPs that resolve to consumer routers (Mikrotik, TP-Link) rather than end-user devices
- High block rates on hardened targets like Akamai or Cloudflare Bot Manager
Botnet IPs often have the right ASN (real ISP) but wrong behavioral fingerprints. They lack browsing history, TLS fingerprints are inconsistent, and they appear in threat intel feeds. Cloudflare’s Bot Score and Akamai’s reputation scoring flag these aggressively.
Mobile Proxies: A Different Architecture Entirely
Mobile proxies are worth separating from the residential discussion entirely. Instead of recruiting consumer devices, mobile proxy providers operate physical SIM farms — racks of devices or USB modems cycling through carrier IPs via real cellular connections. This gives IPs that are carrier-assigned, shared via CGNAT with thousands of legitimate users, and essentially impossible to pre-block without collateral damage.
The carrier selection and NAT behavior directly affect scraping performance in ways that aren’t obvious from a provider’s marketing page. Why Mobile Proxy Carriers Matter: NAT, ASN, IP Pool Differences (2026) walks through why an IP on Singtel behaves differently than one on M1 even in the same country. And the physical infrastructure behind these networks — the SIM sourcing, device management, and rotation hardware — is covered in Mobile Proxy Network Internals: SIM Farms, Jailbroken Devices, Hardware (2026).
Sourcing Model Comparison
| Sourcing Method | Typical Pool Size | Price/GB | Detection Risk | Legal Clarity |
|---|---|---|---|---|
| SDK (opt-in) | 10M – 100M | $4 – $15 | Low | High |
| P2P (gray) | 5M – 30M | $2 – $6 | Medium | Medium |
| Botnet | 1M – 50M (claimed) | $0.50 – $2 | High | None |
| Mobile SIM farm | 100K – 5M | $8 – $25 | Very low | High |
The pool size column is worth scrutinizing. Providers in the botnet/P2P tier often claim inflated numbers because they count IPs seen over a rolling 90-day window, not concurrently available nodes. A practical way to test:
import requests, time
proxy = {"https": "http://user:pass@gate.provider.com:10000"}
seen_ips = set()
for _ in range(100):
r = requests.get("https://api.ipify.org", proxies=proxy, timeout=10)
seen_ips.add(r.text.strip())
time.sleep(1)
print(f"Unique IPs from 100 requests: {len(seen_ips)}")A healthy SDK-based pool returns 80-95 unique IPs across 100 sequential requests. A botnet pool with inflated claims often returns 20-40 because most nodes are offline or throttled.
Bottom Line
If your scraping target runs Akamai, Cloudflare Enterprise, or DataDome, only SDK-sourced residential or mobile SIM-farm IPs will hold up consistently — budget anything else and you’ll burn spend on blocks. For lower-stakes targets or bulk data collection where some block rate is acceptable, P2P networks offer a reasonable cost-quality tradeoff. Avoid any provider priced below $2/GB for “residential” traffic without documented SDK partnerships. DRT covers these infrastructure distinctions across proxy types and markets so you can make sourcing decisions based on how the pool actually works, not how it’s marketed.
Related guides on dataresearchtools.com
- Mobile Proxy Network Internals: SIM Farms, Jailbroken Devices, Hardware (2026)
- Why Mobile Proxy Carriers Matter: NAT, ASN, IP Pool Differences (2026)
- Datacenter Proxy ASN Reputation: How Sites Pre-Block IP Ranges (2026)
- Sticky Session Internals: How Providers Maintain Session Affinity (2026)
- Pillar: Best South Africa Proxy Providers 2026: SA Residential Mobile IPs