IP Intelligence is a service that determines how
likely an IP address is a proxy / VPN / bad IP using advanced
mathematical and modern computing techniques
Detect bot, proxy, and VPN traffic to:
Greatly reduce fraud on e-commerce sites (anti-fraud)
Protect your site from automated hacking attempts such as XSS,
SQLi, brute force attacks, application scanning and many others
Protect your site from crawlers that steal your content
Stop bots from scraping your content or bots spamming your
website
Serve traffic / content to real users, not bots. Reduce fake
views, clicks, and activity that results in click fraud and view
fraud (anti-bot detection)
Prevent trolls / people that are trying to bypass a ban
Adjust your system to limit access (such as not allowing them to
change their password, their email, etc) to prevent account
hijacking
Since the system returns a real value and there's different flag
options, you can customize the level of protection for a particular
time frame and adjust accordingly
Use it with a combination of another fraud prevention service to
make it even better. Some fraud prevention services do not
explicitly look for proxy / VPN / bad IPs
The system is serving millions of API requests a week and growing as
more people find it useful in protecting their online infrastructure.
Our service is used by gaming communities, e-commerce websites,
research universities & institutions, law enforcement, and large
financial institutions. Not all proxy / VPN detection services are
the same. The techniques involved can be vastly different and produce
noticeable differences. Feel free to compare the results from this
service to any other, including paid options from various vendors.
It is recommended that you thoroughly read the information below
before implementation.
How It Works
Given an IP address, the system will return a probabilistic
value (between a value of 0
and 1) of how likely the
IP is a VPN / proxy / hosting / bad IP. A value of 1 means that IP is explicitly
banned (a web host, VPN, or TOR node) by our dynamic lists.
Otherwise, the output will return a real number value between 0 and
1, of how likely the IP is bad / VPN / proxy, which is inferred
through machine learning & probability theory techniques
using dynamic checks with large datasets. Billions of new records
are parsed each month to ensure the datasets have the latest
information and old records automatically expire. The system is
designed to be efficient, fast, simple, and accurate.
Assumptions
The following assumptions must be met for the sake of
accuracy and correctness.
It is assumed that the IP you're looking up is making a request
to your services on an application level. If you block IPs
on a lower level, important services such as DNS maybe be blocked
which is not desired. Be sure the source IP addresses are correct
(not spoofed) if you're trying to protect a UDP based service.
If your online services involve multiple servers or external
services that interact with your online infrastructure, it is
assumed that you do not look up these IPs or the IPs are
whitelisted on your system.
A valid email that is checked frequently must be used in the
contact field or else your service might be disabled without
notice because there is no way to contact you.
If you are using the API interface, please do not exceed more
than 500 queries per day & 15 queries per minute. Custom packages
are available if you contact me. More information is available in
the FAQs.
If you believe the results are incorrect, please contact me so
I can look into it. I will happily correct any issues.
By using this service, you agree to the Terms of
Service listed below.
Usage & Implementation
Web Interface
A quick start to checking any IP address. The web interface by default uses flags=f.
The full API documentation is available on the API page
Expected Input The proxy check system
takes in an input via HTTP GET request. The URL is
http://check.getipintel.net/check.php
and the parameter is
ip
. The system fully supports IPv4 with partial support for IPv6.
Include Your Contact Information Include
your contact information so I can notify you if a problem arise or
if there are core changes. In some situations, people query the
system in a wrong manner and assume everything is working (but due
to the lack of or improper handling of error codes), it's not the
case. Since I only have the connecting IP address, I cannot help the
person correct the error. To include your contact information,
add another parameter to your request called
contact
and provide your email.
All queries that do not contain accurate contact information
will be rejected with an error or it'll be dropped by the firewall.
Start with flags=m
option if only proxy / VPN detection is needed. If flags=m does not have a
noticeable impact, then use flags=b.
The default query (no flags) is mostly used infront of a payment
gateway to protect against fraud because bad IP detection is
included.
If you are contacted, please respond in 2 days or the contact
information could be considered as inaccurate. Your information will
only be used for the purpose of communication with GetIPIntel.
Optional settings for Input
flags=m is used when
you're only looking for the value of "1" as the result. The m flag skips the dynamic checks
and only uses dynamic ban lists. See Variations of
Implementation and What are
dynamic checks? for detailed explanation.
flags=b is used when
you want to use dynamic ban and dynamic checks with partial bad IP
check. See Variations
of Implementation for detailed explanation.
flags=f is used when
you want to force the system to do a full lookup, which can take
up to 5 seconds. See Variations of
Implementation for detailed explanation.
flags=n is used to
exclude real time block list. Append the character "n" if you're
already using flags=m, b, or f. For example, flags=nm.
oflags=b is used
when you want to see if the IP is considered as bad IP. Note
that when using flags
option, this result can vary due to the included datasets. Please
see the comparsion table for more
information.
oflags=c is used
when you want to see which country the IP came from / which
country the IP belongs to (GeoIP Location). Currently in alpha
testing.
oflags=i is used
when you want to exclude iCloud Relay Egress IPs, Google Cloud One
VPN, or some other similiar service. They are by definition a
proxy/VPN IP, however, having this additional data may help you
make a more informed decision.
oflags=a is used
when you want to see the ASN number of the IP.
format=json returns
the result in JSON
format with extra information.
Expected Output On a valid request, the
system will return a value between 0 - 1 (inclusive) of how likely
the given IP is a proxy. On error, a negative value will be
returned. If format=json
is used, a valid JSON format will be returned with extra
information, see below for details. Interpretation of the Results If a value of
0.50 is returned, then it is as good as flipping a 2 sided fair
coin, which implies it's not very accurate. From my personal
experience, values > 0.95 should be looked at and values > 0.99 are
most likely proxies. Anything below the value of 0.90 is considered
as "low risk". Since a real value is returned, different levels of
protection can be implemented. It is best for a system admin to test
some sample datasets with this system and adjust implementation
accordingly. I only recommend automated action on high
values ( > 0.99 or even > 0.995 ) but it's always best to manually
review IPs that return high values. For example, mark an
order as "under manual review" and don't automatically provision the
product for high proxy values. Be sure to experiment with
the results of this system before you use it live on your projects.
If you believe the result is wrong, don't hesitate to contact me, I
can tell you why. If it's an error on my end, I'll correct it. If
you email me, expect a reply within 12 hours.
Comparing the Different Flags
Flags
Data Sets Used
Pros
Cons
Response Time (No Network Latency)
Suggested Use Based on Requirements
flags=m
dynamic ban lists
fastest, smallest chance for false positives
IPs that are not on blocklists will get through
<60 ms
Least amount of false positives | fastest speeds | ok with
letting some IPs through | only care about proxies & VPNs
flags=b
dynamic ban lists, dynamic checks, some bad IP checks
fast, catches more proxy / VPN IPs than flags=m, skips some
compromised system detection so complaints from residential
users are reduced because most likely the user do not know
they're compromised or they received a dirty IP from their ISP
higher chance of false positives than flags=m
< 130 ms
fast speeds, want to let less proxy / VPN IPs through than
flags=m | do not want to fully utilize bad IP detection | only
care about proxies & VPNs
no flags (default query)
dynamic ban lists, dynamic checks, full bad IP checks
fast, full IP check, a balance between speed and full IP
check
higher chance of false positives than flags=m | might
require 1 more query after 5 seconds to be sure
< 130 ms
fast speeds, ok with making multiple queries with the same
IP
flags=f
dynamic ban lists, dynamic checks, full bad IP checks
forces a full IP check which does not take additional
queries to be sure
higher chance of false positives than flags=m, slowest
< 5000 ms
ok with waiting for a full lookup that can take up to 5 secs
Error Codes The proxy
check system will return negative values on error. For standard
format (non-json), an additional HTTP 400 status code is returned
-1 Invalid no input
-2 Invalid IP address
-3 Unroutable address / private address
-4 Unable to reach database, most likely the database is being
updated. Keep an eye on twitter for more information.
-5 Your connecting IP has been banned from the system or you do
not have permission to access a particular service. Did you exceed
your query limits? Did you use an invalid email address? If you
want more information, please use the contact links below.
-6 You did not provide any contact information with your query
or the contact information is invalid.
If you exceed the number of allowed queries, you'll receive a
HTTP 429 error.
Be sure to implement exception
handling such as timeouts, HTTP 429 error, and the error codes
listed above.
Disclaimer
No guarantees, warranties, etc, is provided or implied. Use at
your own risk. GetIPIntel is not liable for damages or claims of any
kind.
Terms of Service
By using this service, you agree to:
Not sell this service or information generated from this
service, directly or indirectly, without explicit consent.
Not use / reuse information generated from this service,
directly or indirectly, without giving credit to the source (this
website).
Not exceed the query limits if you're a free user.
Not look up random IPs / incremental IP lookups. The database
changes very often so information becomes stale very fast. It just
causes a higher server load for no reason.
The Terms of Service may change at any given time, without
prior notice.
Contact
You can find me on Twitter,
GitHub, or email. If I do not respond
to your email within 24 hours then something wrong, check your spam
folder. Please send an email to my gmail address, or contact
me via twitter. Ultimately, I want the system to be as accurate as
possible, so please let me know if there are any inaccuracies, I'd
like to fix the issue. Let me know if you have any custom
requirements such as more queries per minute, skip cache so it
always gets the latest data and recompute the result, etc.