The IP Blocklist API will detect potentially malicious or dangerous IP addresses.
Use this API for identifying malicious hosts, anonymous proxies, tor, botnets, spammers and more.
Block, filter or flag traffic to help reduce attacks on your networks and software stacks.
IP addresses are automatically removed from the blocklist after 7 days provided no other malicious activity is detected.
You can also download the complete IP data for direct use on your own systems using the Download API.
IP blocklist will detect the following main categories of IP addresses:
Open proxies
Tor nodes
Public VPNs
Spam hosts
Phishing hosts
Malware servers
Attack sources
Criminal netblocks
Malicious spiders
Bots and botnets
Exploit scanners
Brute-force crackers
Under the hood there are 3 core components that make up our blocklist:
Autonomous Networks
This is our system of autonomous bots, crawlers and honeypots which continuously collect data from across the Internet in realtime
Firewall Aggregation
This system collects IP data from security appliances,
this includes feeds from firewalls, gateways and intrusion detection systems (IDS)
Open Data
We compile data from many public sources of IP data.
This includes public blocklists, blacklists, botnet trackers and various security intelligence feeds
An IPv4 or IPv6 address. Accepts standard IP notation (with or without port number), CIDR notation and IPv6 compressed notation. If multiple IPs are passed using comma-separated values the first non-bogon address on the list will be checked
vpn-lookup
no
boolean
false
Include public VPN provider IP addresses. NOTE: For more advanced VPN detection including the ability to identify private and stealth VPNs use the IP Probe API
API Response
Parameter
Type
Description
ip
string
The IP address
cidr
string
The CIDR address for this listing (only set if the IP is listed)
is-listed
boolean
Is this IP on a blocklist
last-seen
integer
The unix time when this IP was last seen on any blocklist. IPs are automatically removed after 7 days therefor this value will never be older than 7 days
list-count
integer
The number of blocklists the IP is listed on
blocklists
array
An array of strings indicating which blocklist categories this IP is listed on. Current possible values are:
tor - IP is a Tor node or running a Tor related service
proxy - IP has been detected as an anonymous web proxy or HTTP proxy
vpn - IP belongs to a public VPN provider
bot - IP is hosting a malicious bot or is part of a botnet. This is a broad category which includes brute-force crackers
spam-bot - IP address is hosting a spam bot, comment spamming or any other spamming type software
exploit-bot - IP is hosting an exploit finding bot or is running exploit scanning software
hijacked - IP is part of a hijacked netblock or a netblock controlled by a criminal organization
malware - IP is currently involved in distributing or is running malware
spyware - IP is currently involved in distributing or is running spyware
spider - IP is running a hostile web spider / web crawler
dshield - IP has been flagged as a significant attack source by DShield (dshield.org)
sensors
array
An array of objects containing details on which specific sensors detected the IP:
Parameter
Type
Description
id
integer
The sensor ID. This is a permanent and unique ID for each sensor
blocklist
string
The primary blocklist category this sensor belongs to
description
string
Contains details about the sensor source and what type of malicious activity was detected
is-proxy
boolean
IP has been detected as an anonymous web proxy or anonymous HTTP proxy
is-tor
boolean
IP is a Tor node or running a Tor related service
is-vpn
boolean
IP belongs to a public VPN provider (only set if the 'vpn-lookup' option is enabled)
is-malware
boolean
IP is involved in distributing or is running malware
is-spyware
boolean
IP is involved in distributing or is running spyware
is-dshield
boolean
IP has been flagged as a significant attack source by DShield (dshield.org)
is-hijacked
boolean
IP is part of a hijacked netblock or a netblock controlled by a criminal organization
is-spider
boolean
IP is running a hostile web spider / web crawler
is-bot
boolean
IP is hosting a malicious bot or is part of a botnet. This is a broad category which includes brute-force crackers
is-spam-bot
boolean
IP address is hosting a spam bot, comment spamming or any other spamming type software
is-exploit-bot
boolean
IP is hosting an exploit finding bot or is running exploit scanning software
API Performance
Characteristic
Value
Description
Avg Latency
15ms
Average RTT for requests within the same data center/region
Max Rate
500/second
Maximum inbound request rate. Exceeding this will result in request throttling
Max Concurrency
250
Maximum concurrent/simultaneous requests. Exceeding this will result in error code 06 [TOO MANY CONNECTIONS]