Uncovering valuable information from masked IP addresses
The fundamental nature of an IP privacy service
An IP privacy solution can route a user’s traffic through various technologies to redirect it to the user’s intended website or internet-connected services. There are several technologies available to anonymize an IP address, such as VPN, TOR, Proxy, Private Relay, and hosting services. Essentially, they all function in a similar manner as they not only mask the originating IP address but also provide a different IP geolocation result since the servers of these services are usually located elsewhere.
Recognizing anonymous IP addresses with IPinfo’s IP to Privacy Detection data
In recognizing an anonymous or masked IP address, IPinfo provides these solutions:
- IP to Privacy API: An API service that can be used to look up the privacy information of one or more IP addresses.
- IP to Privacy Database: A data service that can be used to lookup privacy information of IP addresses.
- IP to Privacy Extended Database: Provides privacy service detection methodology insights.
IP to Privacy Detection API
curl https://ipinfo.io/84.252.115.255?token=$token
Result:
{
"vpn": true,
"proxy": false,
"tor": false,
"relay": false,
"hosting": false,
"service": "ProtonVPN"
}
IP to Privacy Detection database
Using our mmdbctl tool and the MMDB file format.
Result:
{
"hosting": "true",
"proxy": "",
"relay": "true",
"service": "Apple Private Relay",
"tor": "",
"vpn": ""
}
IP to Privacy Detection Extended database
Using our data through all-in-one listing on Snowflake.
SELECT
*
FROM
TABLE(ip_privacy_extended('209.58.167.255'));
Result:
| Field | Output |
|---|---|
| HOSTING | TRUE |
| PROXY | |
| TOR | |
| VPN | TRUE |
| VPN_NAME | CactusVPN |
| ANYCAST | FALSE |
| CENSUS | TRUE |
| DEVICE_ACTIVITY | TRUE |
| WHOIS | FALSE |
| VPN_CONFIG | FALSE |
| CENSUS_PORT | 500 |
| RELAY |
Getting information from masked IP addresses
Aside from knowing which IP addresses are anonymous, we can gain a number of interesting insights from masked IP addresses. This information is crucial for understanding organizational context, mapping the attack surface, and setting up dynamic firewalls, among other things. Even though it is not possible to obtain information about the originating IP address, organizational context, such as company information and ASN information, is essential in threat intelligence operations.
IP to Company Data
The first and foremost dataset you should consider is our IP to Company data. It is available in API format, database format and also is available in Snowflake.
The reason why IP-to-company data is such a valuable dataset is because it provides organizational/company context behind the IP data. IP privacy businesses often do not have their own infrastructure solution, so they rent out infrastructure and technology solutions from specialized companies. It is far more important to know which companies are providing these services to the IP privacy companies in creating robust attack surface mapping and threat intelligence operations.
Example:
Consider the ProtonVPN operated IP address: 84.252.115.255. We can take a look at the company of the IP address using our IP to Company database on Snowflake.
SELECT
*
FROM
TABLE(ip_company('84.252.115.255'));
Result:
| Field | Output |
|---|---|
| NAME | Onet Solutions SAS |
| DOMAIN | onetsolutions.net |
| TYPE | business |
| ASN | AS212238 |
| AS_NAME | Datacamp Limited |
| AS_DOMAIN | datacamp.co.uk |
| AS_TYPE | hosting |
| COUNTRY | AE |
As you can see, Onet Solutions SAS is the tech infrastructure provider for Proton VPN, while the IP address itself is owned by Datacamp Limited, a very popular VPN infrastructure provider company. Information such as the name of the privacy service provider is trivial if you have access to the organization information of the anonymous IP address.
Even though the company database provides ASN information, we highly recommend using both ASN and Company databases at the same time. You can learn about the reason here. If you are using our API services, that would not be necessary, as the business tier includes both the services in one-tier.
{
"ip": "84.252.115.255",
"privacy": {
"vpn": true,
"proxy": false,
"tor": false,
"relay": false,
"hosting": false,
"service": "ProtonVPN"
},
"company": {
"name": "ONETSOLUTIONS SAS",
"domain": "onetsolutions.net",
"type": "business"
},
"asn": {
"asn": "AS212238",
"name": "Datacamp Limited",
"domain": "datacamp.co.uk",
"route": "84.252.115.0/24",
"type": "hosting"
}
}
ASN Database
Even though a company may operate or assist in a VPN operation, they may not own the IP address that is being used by the VPN service. The VPN IP address can be owned by a separate company.
- Company: Organization that is using the IP address
- ASN data: Organization that owns the IP address
To get the information of the owner of the IP address, you can use the ASN database. You can use our API, database, or even our free ASN database to get the ASN information from IP addresses.
Example:
Using the ASN API + Privacy API.
curl https://ipinfo.io/209.58.167.255?token=$token
{
"ip": "209.58.167.255",
"privacy": {
"vpn": true,
"proxy": false,
"tor": false,
"relay": false,
"hosting": true,
"service": "Perfect Privacy"
},
"asn": {
"asn": "AS59253",
"name": "Leaseweb Asia Pacific pte. ltd.",
"domain": "leaseweb.com",
"route": "209.58.160.0/20",
"type": "hosting"
}
}
IPinfo services referenced:
API
Database
Free / Open access services
Signup for a free account today, and get access to the following services: