IP rotation was a great strategy. In 2019.
Bright Data built a $300M+ business on one core idea: if a website blocks your IP, use a different one. Rotate through millions of residential IPs and the target site can never pin you down.
This was brilliant when anti-bot systems relied on IP-based blocking. It’s worthless now. Modern anti-bot systems don’t identify you by your IP address. They identify you by your session fingerprint — a composite identity built from dozens of browser signals that persists no matter how many times you change your IP.
Bright Data, ScraperAPI, Oxylabs, and ZenRows are still selling IP rotation as if it’s 2019. Their customers are still paying for it. And they’re still getting blocked.
How anti-bot systems create persistent session fingerprints
When you visit a site protected by DataDome, PerimeterX, Akamai, or Cloudflare, the anti-bot JavaScript immediately begins building a fingerprint of your browser session. This fingerprint combines multiple signals into a unique identifier that follows you across requests, regardless of your IP address.
Canvas fingerprinting
The anti-bot script draws invisible graphics on an HTML5 canvas element — text with specific fonts, gradients, and shapes. The way your browser renders these graphics depends on your GPU, graphics driver, OS, and browser version. The rendered output is hashed into a canvas fingerprint.
Key fact: two different machines almost never produce the same canvas hash. But the same machine produces the same hash every time. So when Bright Data rotates your IP from a New York residential address to a London residential address, but both requests carry the same canvas fingerprint… the anti-bot system knows it’s the same browser.
WebGL fingerprinting
Similar to canvas, but using the WebGL API. Anti-bot scripts query:
WEBGL_debug_renderer_info— reveals the exact GPU model- Supported WebGL extensions
- Max texture size, viewport dimensions
- Shader precision formats
This produces a WebGL fingerprint that is highly unique and consistent per machine. Headless browsers using software rendering produce distinctive WebGL fingerprints that anti-bot systems have catalogued exhaustively.
Audio context fingerprinting
The AudioContext API processes audio slightly differently on every machine due to hardware and software differences. Anti-bot scripts create an oscillator node, process a signal, and hash the output. This audio fingerprint is:
- Independent of IP address
- Consistent across sessions on the same machine
- Different between machines
- Detectable even in headless browsers
Cookie and localStorage correlation
Anti-bot systems set tracking cookies and localStorage values on the first visit. These persist across page loads and contain encrypted session identifiers. When you rotate your IP but send the same cookies, the anti-bot system immediately correlates your new request with your old (blocked) session.
Even if you clear cookies, the anti-bot system notices:
- Fresh visit with no cookies + known fingerprint = same user, cleared cookies
- Fresh visit with no cookies + new fingerprint = genuinely new user
Bright Data’s proxy infrastructure doesn’t manage per-session cookie state. Their requests either send stale cookies from a blocked session or no cookies at all. Both are detection signals.
TLS fingerprinting (JA3/JA4)
Every HTTP client produces a unique TLS handshake fingerprint based on the cipher suites, extensions, and curves it supports. This fingerprint is captured before any HTTP data is exchanged — the anti-bot system knows your client identity before you’ve even sent a URL.
JA3 and its successor JA4 are now standard detection tools. Akamai, Cloudflare, and Imperva all use TLS fingerprinting. Bright Data’s proxy infrastructure modifies the TLS handshake, producing fingerprints that don’t match any real browser. It’s like showing up to a costume party wearing a name tag that says “I’m a proxy server.”
Combined fingerprint = persistent identity
Anti-bot systems don’t rely on any single signal. They combine all of them:
Session Identity = hash(
canvas_fingerprint +
webgl_fingerprint +
audio_fingerprint +
tls_fingerprint +
screen_resolution +
timezone +
language +
installed_fonts +
navigator_properties +
cookie_state
)This composite fingerprint is your identity. Changing your IP changes nothing. You’re the same “person” to the anti-bot system.
The IP rotation death spiral
Here’s what actually happens when you use Bright Data on an anti-bot protected site:
-
Request 1 (IP: 1.2.3.4): Page loads. Anti-bot JavaScript collects fingerprint. Session created. Fingerprint stored.
-
Request 2 (IP: 5.6.7.8): Different IP, same fingerprint. Anti-bot system matches to existing session. Challenge issued.
-
Request 3 (IP: 9.10.11.12): Different IP again, same fingerprint again. Anti-bot system now has high confidence this is automated traffic — real users don’t change IPs every request. Hard block.
-
Requests 4-100: Every new IP is immediately correlated to the blocked fingerprint. All requests fail. Bright Data charges you for every single one.
IP rotation doesn’t just fail to help — it actively hurts. Changing IPs while keeping the same fingerprint is a stronger bot signal than using a single IP. Real humans don’t hop between residential IPs in different cities every 30 seconds.
Bright Data rotates IPs but can’t rotate fingerprints
This is Bright Data’s fundamental problem on anti-bot sites. They have 72 million residential IPs. Impressive. But they can’t give each request a unique, consistent, realistic browser fingerprint because:
Headless browsers have detectable fingerprints
Bright Data’s browser-based solutions use headless Chrome instances in their data centers. These instances share common characteristics:
- Server-grade hardware produces distinctive canvas/WebGL renders
- Data center GPU drivers differ from consumer hardware
- Missing or incorrect audio hardware
- Chrome automation flags (even when patched, the patches themselves are detectable)
Fingerprint spoofing is detectable
You can try to override canvas, WebGL, and audio APIs to return fake values. Anti-bot systems check for this:
- Is
HTMLCanvasElement.prototype.toDataURLoverridden? (check: compare against native implementation) - Does the canvas fingerprint match the claimed GPU? (Nvidia fingerprint but AMD WebGL renderer = spoofed)
- Are the fingerprint values consistent with each other? (Random fingerprints create impossible combinations)
DataDome specifically tests for fingerprint spoofing and considers it a strong bot signal. You’re better off sending your real fingerprint than sending a spoofed one that doesn’t add up.
Session state management is a hard problem
To truly rotate fingerprints, you’d need to rotate entire browser environments — different machines with different hardware, different profiles, different cookie stores, different browsing history. Bright Data’s infrastructure isn’t built for this. They’re built for routing HTTP requests through different IPs. That’s a fundamentally different (and much simpler) problem.
What ScraperAPI, Oxylabs, and ZenRows get wrong
The same analysis applies to every proxy-based scraping service:
ScraperAPI: Sends HTTP requests with no browser fingerprint at all. On anti-bot sites, no fingerprint = obvious bot. Blocked on first request.
Oxylabs: Claims “smart proxy” technology. Their browser fingerprints come from a small pool of headless browser instances. Anti-bot systems have seen these fingerprints millions of times. Known bot fingerprint = instant block.
ZenRows: Offers “anti-bot bypass” that patches common detection points. But they use shared browser pools, which means shared fingerprints, which means the moment one customer’s session is flagged, the fingerprint is burned for everyone.
Apify: Lets you run your own browsers, which is better, but you’re still running in their cloud infrastructure with cloud-specific hardware fingerprints. And you’re responsible for solving every detection challenge yourself.
Our approach: real browsers, real fingerprints, real sessions
UltraWebScrapingAPI doesn’t rotate IPs and hope for the best. We manage the entire session identity:
Unique browser environments
Each scraping session runs in a genuine Chrome browser with a unique, internally consistent fingerprint. Canvas, WebGL, audio, TLS — every signal is real and matches a realistic consumer hardware profile.
Proper session state management
We maintain proper cookie jars, localStorage state, and session continuity. When an anti-bot system sets a tracking cookie, we handle it correctly. When it checks session consistency, our sessions are consistent.
Fingerprint-aware request routing
We don’t just rotate IPs — we rotate entire browser identities. A new session means a new fingerprint, new cookies, new TLS signature, new behavioral profile. To the anti-bot system, every session looks like a genuinely new user on a genuinely different device.
Per-site fingerprint optimization
Different anti-bot systems weight different fingerprint signals. Akamai cares heavily about TLS fingerprinting. DataDome focuses on canvas and behavioral correlation. PerimeterX emphasizes cross-signal consistency. We analyze each site’s specific detection priorities and optimize our fingerprints accordingly.
The numbers don’t lie
| Approach | What Anti-Bot Sees | Result |
|---|---|---|
| Bright Data (IP rotation) | Same fingerprint, rotating IPs | Blocked after 1-3 requests |
| ScraperAPI (HTTP requests) | No fingerprint at all | Blocked on first request |
| ZenRows (shared browsers) | Known bot fingerprint | Blocked on first request |
| UltraWebScrapingAPI | Unique, consistent, real fingerprint | 99%+ success rate |
IP rotation is dead for anti-bot sites. The sooner you accept that, the sooner you stop wasting money on services built around a strategy that stopped working years ago.
See fingerprint-aware scraping in action. Try UltraWebScrapingAPI in our free playground — bring the URL that Bright Data can’t handle, and watch us deliver the data on the first request.