Free real-time IP intelligence API to protect your business from fraud, abuse, and malicious traffic
GetIPIntel.net is a service that determines how likely an IP address is a proxy / VPN / bad IP using advanced mathematical and modern computing techniques
Greatly reduce fraud on e-commerce sites with anti-fraud protection and payment gateway security.
Protect your site from XSS, SQLi, brute force attacks, application scanning, and other automated hacking attempts.
Protect your site from crawlers that steal your content and stop bots from scraping your data.
Prevent users from abusing promotional offers, multiple sign-ups, affiliate abuse, and spam.
The proxy check system takes in an input via HTTP GET request. The URL is http://check.getipintel.net/check.php and the parameter is ip. The system fully supports IPv4 with partial support for IPv6.
Include your contact information so I can notify you if a problem arises or if there are core changes. In some situations, people query the system in a wrong manner and assume everything is working (but due to the lack of or improper handling of error codes), it's not the case. Since I only have the connecting IP address, I cannot help the person correct the error.
To include your contact information, add another parameter to your request called contact and provide your email.
http://check.getipintel.net/check.php?ip=IPHere&contact=YourEmailAddressHere
On a valid request, the system will return a value between 0 - 1 (inclusive) of how likely the given IP is a proxy. On error, a negative value will be returned. If format=json is used, a valid JSON format will be returned with extra information, see below for details.
If a value of 0.50 is returned, then it is as good as flipping a 2-sided fair coin, which implies it's not very accurate. From personal experience, values > 0.95 should be looked at and values > 0.99 are most likely proxies. Anything below the value of 0.90 is considered as "low risk". Since a real value is returned, different levels of protection can be implemented.
Be sure to experiment with the results of this system before you use it live on your projects. If you believe the result is wrong, don't hesitate to contact me, I can tell you why. If it's an error on my end, I'll correct it. If you email me, expect a reply within 12 hours.
If you get a value between 0 - 1, exclusive (like 0.99, 0.99999, 0.97), these values are generated by dynamic checks which looks for characteristics of the given IP. IPs that are either manually banned or seen on a public proxy site will return a value of 1. If you only want manually banned or public proxies, then in your code just look for the value "1".
If you only look for the value of "1", then expect to have more proxy / VPN / bad IPs go through your system, however, false positives are less likely if you use the dynamic ban list option.
If you wish to use only manually banned & public proxy IPs, append the parameter &flags=m, the system will only return a result of 0 or 1. This option is the best to start off with that will have a noticeable impact in bot / proxy / VPN traffic.
http://check.getipintel.net/check.php?ip=IPHere&contact=SomeEmailAddressHere&flags=m
This option is the fastest.
In this scenario, you want to use dynamic checks as well but you want to skip additional checks to see if the IP is a bad IP. In this mode, some bad IPs are still detected but the system does not attempt to go through the full bad IPs check because the time for the extra checks vary wildly (between an extra 200ms to 2 seconds).
In this mode, false positives are more likely than dynamic ban lists only. Scores are lower compared to the full IP check (without any flag options) because less attributes are considered.
If you wish to use dynamic ban list and dynamic checks only, append the parameter &flags=b. This option is the best if dynamic ban lists isn't catching enough IPs but you don't want to run the full check because it takes too long and/or you want to have a predictable execution time.
http://check.getipintel.net/check.php?ip=IPHere&contact=SomeEmailAddressHere&flags=b
This is the default lookup with no flags. Since the system is designed to work with real-time systems (return a result as fast as possible), some time consuming checks are put into a background process. This allows the system to return a result much faster.
If those time consuming checks reveal that the returned result was not accurate (which is rare), the system will adjust the values. However, you must query the service again with the same IP to obtain the new result. Typically, the background jobs take no longer than 5 seconds to complete.
If you want to force the system to do a full lookup (no background processes), use flags=f option.
If you don't mind waiting up to 5 seconds for a result and you want the system to do a full lookup with one query, then use &flags=f option.
http://check.getipintel.net/check.php?ip=IPHere&contact=SomeEmailAddressHere&flags=f
This option is the slowest and should only be used on non-real-time applications.
Append &oflags=b to your query if you wish to know if the IP is considered as a bad IP. Standard output will append another integer value separated by a comma. If JSON output is chosen, then an additional element called "BadIP" is added in the results.
A value of 1 represents that it is a bad IP, 0 otherwise. Note that if you are using flags option, the results may vary.
IPv6 is currently not supported yet for this feature. If the Proxy / VPN / Bad IP score for flags=m returns 1 then oflags=b always returns 0 because if an IP is explicitly banned, then all bad IP checks are skipped.
Append &oflags=c to your query if you wish to know which country the IP belongs to. Standard output will append the country separated by a comma. If JSON output is chosen, then an additional element called "Country" is added in the results.
All countries are represented by a 2 character country code in ISO-3166 format. Note that country information is directly pulled from RIRs. Accuracy will vary so consider this as an experimental feature.
Append &oflags=i to your query if you wish to know if the IP is an iCloud Relay Egress IP, Google One VPN IP, or similar service. JSON format is recommended as some information will not be available in standard format.
Standard output will append another integer value separated by a comma. If JSON output is chosen, then 3 additional elements are added:
iCloudRelayEgress - A value of 1 represents that it is an iCloud Relay Egress IP, 0 otherwise.GoogleOneVPN - A value of 1 represents that it is a Google One VPN IP, 0 otherwise.VPNType - Will display which type of VPN it is. Currently: none, GoogleOneVPN, GoogleFiVPN, and iCloudRelayEgress.iCloudRelayEgress and GoogleOneVPN might be deprecated. Please use VPNType instead.
Append &oflags=a to your query if you wish to know the ASN number of the IP. If multiple ASNs are associated with the IP, it will be separated by a ; (semi-colon).
Standard output will append the ASN value(s) separated by a comma. If JSON output is chosen, then an additional element called "ASN" is added in the results.
Append &oflags=r to your query if you wish to include residential proxy detection via Layer3Intel. The algorithm will include data from this provider to generate the overall score.
When using format=json, an additional element ResidentialProxy score is displayed from 0 to 1 where 1 is a highly active proxy.
Currently supports IPv4 and this option is in beta.
Normally, the system outputs a negative value on error, or a value >=0 and <=1 on success. If you're more comfortable with JSON format, append the option &format=json to your queries.
Successful Query Example:
curl "http://check.getipintel.net/check.php?ip=66.228.119.72&contact=AValidEmailAddress&format=json&flags=m"
{"status":"success","result":"1","queryIP":"66.228.119.72","queryFlags":"m","queryFormat":"json","contact":"AValidEmailAddress"}
Error Query Example:
curl "http://check.getipintel.net/check.php?ip=10.10.10.10,8.8.8.8&contact=AValidEmailAddress&format=json"
{"status":"error","result":"-2","message":"Invalid IP address","queryIP":"10.10.10.10,8.8.8.8","queryFlags":null,"queryFormat":"json","contact":"AValidEmailAddress"}
| Flags | Data Sets Used | Pros | Cons | Response Time (No Network Latency) | Suggested Use |
|---|---|---|---|---|---|
| flags=m | dynamic ban lists | fastest, smallest chance for false positives | IPs that are not on blocklists will get through | < 60 ms | Least false positives | fastest speeds | ok letting some IPs through | only care about proxies & VPNs |
| flags=b | dynamic ban lists, dynamic checks, some bad IP checks | fast, catches more proxy / VPN IPs than flags=m, skips some compromised system detection | higher chance of false positives than flags=m | < 130 ms | fast speeds, want to let less proxy / VPN IPs through than flags=m | do not want to fully utilize bad IP detection | only care about proxies & VPNs |
| no flags (default query) | dynamic ban lists, dynamic checks, full bad IP checks | fast, full IP check, balance between speed and full IP check | higher chance of false positives than flags=m | might require 1 more query after 5 seconds | < 130 ms | fast speeds, ok with making multiple queries with the same IP |
| flags=f | dynamic ban lists, dynamic checks, full bad IP checks | forces a full IP check which does not take additional queries | higher chance of false positives than flags=m, slowest | < 5000 ms | ok with waiting for a full lookup that can take up to 5 secs |
The proxy check system will return negative values on error. For standard format (non-json), an additional HTTP 400 status code is returned:
I created this project because I couldn't find any good alternatives for a reasonable price. Since I have a masters degree in Computer Science specializing in Networking with interests in Machine Learning and NetSec, it's a fitting project for me to embark on. Compared to a popular paid service, the number of free queries that's being served by GetIPIntel translates to $60,000+/month and I've been told by a few people that GetIPIntel catches more proxies / VPN / bad IPs than said paid service. I'm offering it for free in the spirit of openness. Just because it's free, it does not mean it's bad, inaccurate, easy to develop, or easy to maintain.
There are many other services like this one that use simple block lists, meaning a particular IP / IP block is specifically added or removed either manually or by code from various known/trusted sources. During a lookup, if the IP is on the list, then simply return the result accordingly. However, it's a very limited view because if the IP is not on a list, it doesn't mean it's not a proxy / VPN / bad IP. It means that the simple block list system does not know or have not come across that IP address. To claim an IP address is not a proxy / VPN / bad IP just because the system has never come across the IP is a logical fallacy (see Argument from Ignorance). GetIPIntel uses Machine Learning & Probability Theory techniques to infer on IPs it doesn't have explicit knowledge about and compute the output when you request it using up to date and large data sets.
Dynamic checks are used if the IP address is not explicitly listed in the static and dynamic files. The system attempts to retrieve characteristics (or attributes in Machine Learning terms) of the given IP. Based on that data, it uses concepts from Probability Theory and ML boosting techniques to generate an overall result. All results from dynamic checks are computed in real time using large & frequently updated datasets. In short, dynamic checks allows the system to infer when it doesn't explicitly know if it's a proxy / vpn or not with mathematics.
It refers any combination of crawlers / comment & email spammers / brute force attacks. IPs that are behaving "badly" in an automated manner. Networks that are infected with malware / trojans / botnet / etc are also considered "bad". It may be possible that the user is not aware that their systems are infected or they have received an IP by their ISP that was recently infected with malicious code. If you wish to skip this, see variations of implementation.
There's a rate limit 15 requests / minute to prevent abuse as well as a burst parameter set to ensure smoothing of traffic. If you hit any of these limits, the web server will return a 429 error. Please do not exceed 500 queries per day. The limits may change based on abuse and/or server load which will be posted on twitter and at least one week in advance. If you need guaranteed resources and/or more queries, please contact me. In most cases, the cost is significantly less than other paid services.
Of course but I do not recommend caching a particular value for more than 6 hours. The Internet drastically changes over a short period of time. Hijacked networks pop up and go away relatively quickly. A low scoring IP's behavior can change in a matter of seconds, as well as a high scoring IP. When the system detects an IP with high variance in previous scores, the probability will be recomputed live with the most up to date dataset for accuracy.
GetIPIntel provides this service on an "as is" and "as available" basis without any express or implied warranties. Use of this service is entirely at your sole risk and discretion. In no event shall GetIPIntel, its owners, operators, or affiliates be liable for any damages or claims of any kind.
By using this service, you agree to:
You can find me on Twitter, GitHub, or email.
If I do not respond to your email within 24 hours then something's wrong, check your spam folder. Please send an email to my gmail address, or contact me via Twitter. Ultimately, I want the system to be as accurate as possible, so please let me know if there are any inaccuracies, I'd like to fix the issue. Let me know if you have any custom requirements such as more queries per minute, skip cache so it always gets the latest data and recompute the result, etc.