Skip to content
residentialusasn-trustcgnat

Why US residential proxies behave differently from EU residential — even on the same target

Two "residential" exits on the same country target can score differently because the underlying networks don't look the same. A walk through the ASN trust differences, CGNAT prevalence, and why Comcast ≠ Deutsche Telekom under the hood.

· Dev Morales · 6 min read

A question we get a couple of times a month: "our EU residential pool clears this target, but our US residential pool gets challenged on the first request. Why?" The easy answer is "US retail targets are stricter." The real answer is that US and EU residential networks are shaped differently at the ASN, NAT, and BGP layers, and any detection vendor that's worth what their customers pay for it consumes those shape differences as a feature.

This post is a walk through the structural differences we watch when building and sizing a US-only residential pool. It's also, indirectly, why Proxaro is US-only instead of another global pool — the rules we care about are too market-specific to average across.

ASN trust: the same name does different work

Start with a basic question: what does a detection vendor like Spur, IPQualityScore or MaxMind actually return for a "residential" IP?

They return a trust score derived from the announcing ASN weighted against the known behaviour of that ASN's peers, cross-checked against their own observed traffic. An ASN that carries 30 million home subscribers and 4 TB/s of consumer traffic looks nothing like an ASN that carries 300,000 subscribers and 80 Gb/s, even if both are technically "residential."

In the US, two ASNs dominate the residential map:

  • Comcast Cable (AS7922) — ~32 million subscriber addresses.
  • Charter Spectrum (AS20115) — ~30 million subscriber addresses.

That's ~62 million of a US broadband base of ~108 million households sitting on exactly two ASNs. Any detection signal that weights "how many of our known-good observations come from this ASN" will rate AS7922 and AS20115 as maximum-trust. Almost nothing clears higher than those two.

Now compare the EU. The largest EU residential networks are:

  • Deutsche Telekom (AS3320) — ~21 million subscriber addresses.
  • Orange France (AS3215) — ~12 million.
  • British Telecom (AS2856) — ~8 million.
  • Proximus, Telefónica España, KPN NL — 4–6 million each.
  • ... and a long tail of tier-2 and tier-3 national carriers, each carrying single-digit millions.

The EU's largest residential ASN carries two-thirds of what Comcast alone carries. No single European ASN has the absolute observation volume that AS7922 and AS20115 give their detection-vendor peers. That translates to a subtly different trust calibration: an EU residential pool drawn from DT, Orange and BT averages slightly lower per-exit trust than a US pool drawn from Comcast and Spectrum, because the observation density is lower.

On a forgiving target that's barely fine. On a target whose bot defense is tuned specifically against Comcast-shaped traffic, EU residential will get challenged more.

CGNAT prevalence: different for fixed vs. mobile

Here the asymmetry flips. Carrier-grade NAT — thousands of subscribers behind one public IPv4 — is rare in US fixed-line residential and common in EU fixed-line residential.

US major cable carriers (Comcast, Spectrum, Cox) still run close to a 1:1 mapping of public IPv4 to subscriber in most metros. Comcast dynamic leases rotate the IP but one subscriber has one IP at a time. This is why US IPv6 adoption on residential is quietly high: Comcast needs it less for NAT relief and more because it's actually better.

EU fixed-line is more heterogeneous. Deutsche Telekom and Orange run 1:1 in most regions, but many EU ISPs (Proximus in Belgium, Telia in Sweden, smaller French alt-ops) default to CGNAT for consumer connections. A DE or FR residential exit is more likely to share a public IPv4 with a few hundred to a few thousand peers than a US residential exit is. That's a fingerprint signal that goes the other way: a shared-IP residential exit has higher "blast radius" for the ISP and is therefore less likely to be blocked aggressively by the target.

The net effect: EU residential gets a CGNAT-like tolerance from some targets that US residential doesn't get. US residential gets higher baseline ASN trust that EU residential doesn't get. Both are residential. Both are not the same product.

BGP paths and peering density

Third layer of shape difference: how the exit's traffic actually gets to the target's edge.

US residential traffic peers into target CDNs at about four or five major meet-me rooms: Equinix Ashburn, 1 Wilshire in LA, Equinix Chicago CH2, Equinix Dallas DA2, and to a lesser extent NYC. A Comcast Chicago customer hitting a Cloudflare-fronted site hits Cloudflare's CH2 edge in roughly 2-3 hops through the Comcast backbone. The path is short, consistent, and easy for the target to validate against a MaxMind / Spur "this is a real US residential path" reference.

EU residential peering is spread across London, Frankfurt, Amsterdam, Paris, Stockholm, Madrid, Milan — plus national IXs (BIX, DE-CIX Düsseldorf, LINX Manchester). A Paris consumer hitting the same Cloudflare site will land on Cloudflare's CDG or AMS PoP via a BGP path that varies by carrier more than the equivalent US path varies. Detection tools handle this fine for EU-wide traffic; it makes per-country EU exits slightly less consistent than US.

What this means for how we build the US pool

A detection vendor looks at our US pool and sees, for each exit:

  • An announcing ASN that's one of the big six US carriers, with deep observation history.
  • A 1:1 NAT mapping consistent with US residential norms.
  • A BGP path that terminates at the expected peering fabric for that carrier's region.
  • Subnet and IP allocation metadata that matches FCC BAF and carrier IPAM records.

We get to focus on optimizing those four dimensions for one country. A global pool optimizes for "acceptable" across 120 countries and pays for it on every one.

Practical implication if you're migrating from EU to US work

A few things change the day you move an automation pipeline from EU residential to US residential:

  1. Your rotation cadence can be slower. US residential trust is higher per exit, so you can hold a sticky window longer without drift penalty.
  2. Your per-IP rate budget is lower. US retail targets rate-limit per-subnet aggressively. Burst carefully.
  3. ZIP / DMA matters more. EU residential targeting is mostly country + city. US targeting is DMA + ZIP. Plan accordingly.
  4. Your warmup profile changes. A US account warmed from a Spectrum Orlando IP and then posting from a T-Mobile Seattle IP is scored as "unstable" on TikTok and Instagram in a way that the equivalent EU-to-EU mismatch isn't.

The TL;DR

Residential is not one product. In the US, "residential" leans on two giant ASNs and 1:1 NAT. In the EU, "residential" leans on a broader carrier mix and more CGNAT. Detection vendors read those shapes, so your detection performance changes by geography even when the label on the proxy pool doesn't.

If you run US workloads, let us run the US pool for you — we're narrow on purpose.

Keep reading

Ship on a proxy network you can actually call your ops team about

Real ASNs, real edge capacity, and an engineer who answers your Slack the first time.

See pricingContact sales