IP Intelligence - Proxy / VPN / Bad IP Detection

IP Intelligence is a service that determines how likely an IP address is a proxy / VPN / bad IP using advanced mathematical and modern computing techniques

Detect bot, proxy, and VPN traffic to: The system is serving millions of API requests a week and growing as more people find it useful in protecting their online infrastructure. Our service is used by gaming communities, e-commerce websites, research universities & institutions, law enforcement, and large financial institutions. Not all proxy / VPN detection services are the same. The techniques involved can be vastly different and produce noticeable differences. Feel free to compare the results from this service to any other, including paid options from various vendors.
It is recommended that you thoroughly read the information below before implementation.

How It Works

Given an IP address, the system will return a probabilistic value (between a value of 0 and 1) of how likely the IP is a VPN / proxy / hosting / bad IP. A value of 1 means that IP is explicitly banned (a web host, VPN, or TOR node) by our dynamic lists. Otherwise, the output will return a real number value between 0 and 1, of how likely the IP is bad / VPN / proxy, which is inferred through machine learning & probability theory techniques using dynamic checks with large datasets. Billions of new records are parsed each month to ensure the datasets have the latest information and old records automatically expire. The system is designed to be efficient, fast, simple, and accurate.

Assumptions

The following assumptions must be met for the sake of accuracy and correctness.
  • It is assumed that the IP you're looking up is making a request to your services on an application level. If you block IPs on a lower level, important services such as DNS maybe be blocked which is not desired. Be sure the source IP addresses are correct (not spoofed) if you're trying to protect a UDP based service.
  • If your online services involve multiple servers or external services that interact with your online infrastructure, it is assumed that you do not look up these IPs or the IPs are whitelisted on your system.
  • A valid email that is checked frequently must be used in the contact field or else your service might be disabled without notice because there is no way to contact you.
  • If you are using the API interface, please do not exceed more than 500 queries per day & 15 queries per minute. Custom packages are available if you contact me. More information is available in the FAQs.
  • If you believe the results are incorrect, please contact me so I can look into it. I will happily correct any issues.
  • By using this service, you agree to the Terms of Service listed below.

Usage & Implementation


Web Interface
The web interface allows you to quickly lookup IPs without touching any code. It is assumed that the IP you're looking up has made requests to your services on an application level. The web interface uses flags=f which requests full bad IP detection including compromised systems. If you wish to skip full bad IP detection, please use the API instead. A full lookup might take up to 5 seconds to complete because results are generated in real-time.






API
The full API documentation is available on the API page

Expected Input
The proxy check system takes in an input via HTTP GET request. The URL is http://check.getipintel.net/check.php and the parameter is ip. The system fully supports IPv4 with partial support for IPv6.

Include Your Contact Information
Include your contact information so I can notify you if a problem arise or if there are core changes. In some situations, people query the system in a wrong manner and assume everything is working (but due to the lack of or improper handling of error codes), it's not the case. Since I only have the connecting IP address, I cannot help the person correct the error.
To include your contact information, add another parameter to your request called contact and provide your email.

A typical query looks like:
http://check.getipintel.net/check.php?ip=IPHere&contact=YourEmailAddressHere


Do not use URL encoding on the input parameters.

All queries that do not contain accurate contact information will be rejected with an error or it'll be dropped by the firewall.

Start with flags=m option if only proxy / VPN detection is needed. If flags=m does not have a noticeable impact, then use flags=b. The default query (no flags) is mostly used infront of a payment gateway to protect against fraud because bad IP detection is included.
If you are contacted, please respond in 2 days or the contact information could be considered as inaccurate. Your information will only be used for the purpose of communication with GetIPIntel.


Optional settings for Input
  • flags=m is used when you're only looking for the value of "1" as the result. The m flag skips the dynamic checks and only uses dynamic ban lists. See Variations of Implementation and What are dynamic checks? for detailed explanation.
  • flags=b is used when you want to use dynamic ban and dynamic checks with partial bad IP check. See Variations of Implementation for detailed explanation.
  • flags=f is used when you want to force the system to do a full lookup, which can take up to 5 seconds. See Variations of Implementation for detailed explanation.
  • flags=n is used to exclude real time block list. Append the character "n" if you're already using flags=m, b, or f. For example, flags=nm.
  • oflags=b is used when you want to see if the IP is considered as bad IP. Note that when using flags option, this result can vary due to the included datasets. Please see the comparsion table for more information.
  • oflags=c is used when you want to see which country the IP came from / which country the IP belongs to (GeoIP Location). Currently in alpha testing.
  • format=json returns the result in JSON format with extra information.

Expected Output
On a valid request, the system will return a value between 0 - 1 (inclusive) of how likely the given IP is a proxy. On error, a negative value will be returned. If format=json is used, a valid JSON format will be returned with extra information, see below for details.

Interpretation of the Results
If a value of 0.50 is returned, then it is as good as flipping a 2 sided fair coin, which implies it's not very accurate. From my personal experience, values > 0.95 should be looked at and values > 0.99 are most likely proxies. Anything below the value of 0.90 is considered as "low risk". Since a real value is returned, different levels of protection can be implemented. It is best for a system admin to test some sample datasets with this system and adjust implementation accordingly. I only recommend automated action on high values ( > 0.99 or even > 0.995 ) but it's always best to manually review IPs that return high values. For example, mark an order as "under manual review" and don't automatically provision the product for high proxy values. Be sure to experiment with the results of this system before you use it live on your projects. If you believe the result is wrong, don't hesitate to contact me, I can tell you why. If it's an error on my end, I'll correct it. If you email me, expect a reply within 12 hours.

Comparing the Different Flags

Flags Data Sets Used Pros Cons Response Time (No Network Latency) Suggested Use Based on Requirements
flags=m dynamic ban lists fastest, smallest chance for false positives IPs that are not on blocklists will get through <60 ms Least amount of false positives | fastest speeds | ok with letting some IPs through | only care about proxies & VPNs
flags=b dynamic ban lists, dynamic checks, some bad IP checks fast, catches more proxy / VPN IPs than flags=m, skips some compromised system detection so complaints from residential users are reduced because most likely the user do not know they're compromised or they received a dirty IP from their ISP higher chance of false positives than flags=m < 130 ms fast speeds, want to let less proxy / VPN IPs through than flags=m | do not want to fully utilize bad IP detection | only care about proxies & VPNs
no flags (default query) dynamic ban lists, dynamic checks, full bad IP checks fast, full IP check, a balance between speed and full IP check higher chance of false positives than flags=m | might require 1 more query after 5 seconds to be sure < 130 ms fast speeds, ok with making multiple queries with the same IP
flags=f dynamic ban lists, dynamic checks, full bad IP checks forces a full IP check which does not take additional queries to be sure higher chance of false positives than flags=m, slowest < 5000 ms ok with waiting for a full lookup that can take up to 5 secs

Error Codes
The proxy check system will return negative values on error. For standard format (non-json), an additional HTTP 400 status code is returned
  • -1 Invalid no input
  • -2 Invalid IP address
  • -3 Unroutable address / private address
  • -4 Unable to reach database, most likely the database is being updated. Keep an eye on twitter for more information.
  • -5 Your connecting IP has been banned from the system or you do not have permission to access a particular service. Did you exceed your query limits? Did you use an invalid email address? If you want more information, please use the contact links below.
  • -6 You did not provide any contact information with your query or the contact information is invalid.
  • If you exceed the number of allowed queries, you'll receive a HTTP 429 error.
Be sure to implement exception handling such as timeouts, HTTP 429 error, and the error codes listed above.

Disclaimer


No guaranatees, warranties, etc, is provided or implied. Use at your own risk. GetIPIntel is not liable for damages or claims of any kind.

Terms of Service


By using this service, you agree to:
  • Not sell this service or information generated from this service, directly or indirectly, without explicit consent.
  • Not use / reuse information generated from this service, directly or indirectly, without giving credit to the source (this website).
  • Not exceed the query limits if you're a free user.
  • Not look up random IPs / incremental IP lookups. The database changes very often so information becomes stale very fast. It just causes a higher server load for no reason.
  • The Terms of Service may change at any given time, without prior notice.


Contact


You can find me on Twitter, GitHub, or email. If I do not respond to your email within 24 hours then something wrong, check your spam folder. Please send an email to my gmail address, or contact me via twitter. Ultimately, I want the system to be as accurate as possible, so please let me know if there are any inaccuracies, I'd like to fix the issue. Let me know if you have any custom requirements such as more queries per minute, skip cache so it always gets the latest data and recompute the result, etc.