The IP Blocklist API will detect potentially malicious or dangerous IP addresses.
Use this API for identifying malicious hosts, anonymous proxies, tor, botnets, spammers and more.
Block, filter or flag traffic to help reduce attacks on your networks and software stacks.
IP addresses are automatically removed from the blocklist after 7 days provided no other malicious activity is detected.
You can also download the complete IP data for direct use on your own systems using the Download API.
IP blocklist will detect the following main categories of IP addresses:
Bots and botnets
Under the hood there are 3 core components that make up our blocklist:
This is our system of autonomous bots, crawlers and honeypots which continuously collect data from across the Internet in realtime
This system collects IP data from security appliances,
this includes feeds from firewalls, gateways and intrusion detection systems (IDS)
We compile data from many public sources of IP data.
This includes public blocklists, blacklists, botnet trackers and various security intelligence feeds
An IPv4 or IPv6 address. Accepts standard IP notation (with or without port number), CIDR notation and IPv6 compressed notation. If multiple IPs are passed using comma-separated values the first non-bogon address on the list will be checked
Include public VPN provider IP addresses. NOTE: For more advanced VPN detection including the ability to identify private and stealth VPNs use the IP Probe API
The IP address
The CIDR address for this listing (only set if the IP is listed)
Is this IP on a blocklist
The unix time when this IP was last seen on any blocklist. IPs are automatically removed after 7 days therefor this value will never be older than 7 days
The number of blocklists the IP is listed on
An array of strings indicating which blocklist categories this IP is listed on
An array of objects containing details on which specific sensors detected the IP:
The sensor ID. This is a permanent and unique ID for each sensor
The primary blocklist category this sensor belongs to
Contains details about the sensor source and what type of malicious activity was detected
IP has been detected as an anonymous web proxy or anonymous HTTP proxy
IP is a Tor node or running a Tor related service
IP belongs to a public VPN provider (only set if the 'vpn-lookup' option is enabled)
IP is involved in distributing or is running malware
IP is involved in distributing or is running spyware
IP has been flagged as a significant attack source by DShield (dshield.org)
IP is part of a hijacked netblock or a netblock controlled by a criminal organization
IP is running a hostile web spider / web crawler
IP is hosting a malicious bot or is part of a botnet. This is a broad category which includes brute-force crackers
IP address is hosting a spam bot, comment spamming or any other spamming type software
IP is hosting an exploit finding bot or is running exploit scanning software
Average RTT for requests within the same data center/region
Maximum inbound request rate. Exceeding this will result in request blocking/throttling
Maximum concurrent/simultaneous requests. Exceeding this will result in error code 06 [TOO MANY CONNECTIONS]