API Basics
Data Tools
WWW
Browser Bot
HTML Clean
URL Info
Telephony
Geolocation
Security and Networking
E-commerce
Imaging
Legacy APIs

IP Blocklist

The IP Blocklist API will detect potentially malicious or dangerous IP addresses.

Use this API for identifying malicious hosts, anonymous proxies, tor, botnets, spammers and more.
Block, filter or flag traffic to help reduce attacks on your networks and software stacks. IP addresses are automatically removed from the blocklist after 7 days provided no other malicious activity is detected.

You can also download the complete IP data for direct use on your own systems using the Download API.

IP blocklist will detect the following main categories of IP addresses:
Under the hood there are 3 core components that make up our blocklist:

Autonomous Networks

This is our system of autonomous bots, crawlers and honeypots which continuously collect data from across the Internet in realtime

Firewall Aggregation

This system collects IP data from security appliances, this includes feeds from firewalls, gateways and intrusion detection systems (IDS)

Open Data

We compile data from many public sources of IP data. This includes public blocklists, blacklists, botnet trackers and various security intelligence feeds

End Point

https://neutrinoapi.net/ip-blocklist
Test API
API Request
ParameterRequiredTypeDefaultDescription
ipyesstringAn IPv4 or IPv6 address. Accepts standard IP notation (with or without port number), CIDR notation and IPv6 compressed notation. If multiple IPs are passed using comma-separated values the first non-bogon address on the list will be checked
vpn-lookupnobooleanfalseInclude public VPN provider IP addresses.
NOTE: For more advanced VPN detection including the ability to identify private and stealth VPNs use the IP Probe API
API Response
ParameterTypeDescription
ipstringThe IP address
cidrstringThe CIDR address for this listing (only set if the IP is listed)
is-listedbooleanIs this IP on a blocklist
last-seenintegerThe unix time when this IP was last seen on any blocklist. IPs are automatically removed after 7 days therefor this value will never be older than 7 days
list-countintegerThe number of blocklists the IP is listed on
blocklistsarrayAn array of strings indicating which blocklist categories this IP is listed on. Current possible values are:
  • tor - IP is a Tor node or running a Tor related service
  • proxy - IP has been detected as an anonymous web proxy or HTTP proxy
  • vpn - IP belongs to a public VPN provider
  • bot - IP is hosting a malicious bot or is part of a botnet. This is a broad category which includes brute-force crackers
  • spam-bot - IP address is hosting a spam bot, comment spamming or any other spamming type software
  • exploit-bot - IP is hosting an exploit finding bot or is running exploit scanning software
  • hijacked - IP is part of a hijacked netblock or a netblock controlled by a criminal organization
  • malware - IP is currently involved in distributing or is running malware
  • spyware - IP is currently involved in distributing or is running spyware
  • spider - IP is running a hostile web spider / web crawler
  • dshield - IP has been flagged as a significant attack source by DShield (dshield.org)
sensorsarrayAn array of objects containing details on which specific sensors detected the IP:
ParameterTypeDescription
idintegerThe sensor ID. This is a permanent and unique ID for each sensor
blockliststringThe primary blocklist category this sensor belongs to
descriptionstringContains details about the sensor source and what type of malicious activity was detected
is-proxybooleanIP has been detected as an anonymous web proxy or anonymous HTTP proxy
is-torbooleanIP is a Tor node or running a Tor related service
is-vpnbooleanIP belongs to a public VPN provider (only set if the 'vpn-lookup' option is enabled)
is-malwarebooleanIP is involved in distributing or is running malware
is-spywarebooleanIP is involved in distributing or is running spyware
is-dshieldbooleanIP has been flagged as a significant attack source by DShield (dshield.org)
is-hijackedbooleanIP is part of a hijacked netblock or a netblock controlled by a criminal organization
is-spiderbooleanIP is running a hostile web spider / web crawler
is-botbooleanIP is hosting a malicious bot or is part of a botnet. This is a broad category which includes brute-force crackers
is-spam-botbooleanIP address is hosting a spam bot, comment spamming or any other spamming type software
is-exploit-botbooleanIP is hosting an exploit finding bot or is running exploit scanning software
API Performance
CharacteristicValueDescription
Avg Latency15msAverage RTT for requests within the same data center/region
Max Rate500/secondMaximum inbound request rate. Exceeding this will result in request throttling
Max Concurrency250Maximum concurrent/simultaneous requests. Exceeding this will result in error code 06 [TOO MANY CONNECTIONS]

API Example
curl https://neutrinoapi.net/ip-blocklist \ --header "User-ID: <your-user-id>" \ --header "API-Key: <your-api-key>" \ --data-urlencode "ip=104.244.72.115" \ --data-urlencode "vpn-lookup=false"
{ blocklists: [ "bot", "exploit-bot", "proxy", "spam-bot", "tor", "vpn" ], cidr: "104.244.72.115/32", ip: "104.244.72.115", is-bot: true, is-dshield: false, is-exploit-bot: true, is-hijacked: false, is-listed: true, is-malware: false, is-proxy: true, is-spam-bot: true, is-spider: false, is-spyware: false, is-tor: true, is-vpn: true, last-seen: 1724111228, list-count: 28, sensors: [ { blocklist: "tor", description: "Tor router", id: 1 }, { blocklist: "bot", description: "CINS army list", id: 6 }, { blocklist: "exploit-bot", description: "Vulnerability scanning or DDoS bot", id: 17 }, { blocklist: "spam-bot", description: "Comment and forum spammers", id: 19 }, { blocklist: "bot", description: "Brute force bot (SSH, SMTP, IMAP or HTTP)", id: 20 }, { blocklist: "bot", description: "Hacking or attack bot", id: 22 }, { blocklist: "tor", description: "Tor node", id: 32 }, { blocklist: "exploit-bot", description: "Exploit attacks against website", id: 33 }, { blocklist: "spam-bot", description: "HTTP form spam bot", id: 34 }, { blocklist: "tor", description: "Tor exit node", id: 38 }, { blocklist: "bot", description: "Web server attack source", id: 39 }, { blocklist: "spam-bot", description: "Harvester, spam or comment spam host", id: 50 }, { blocklist: "proxy", description: "Public HTTP proxy", id: 53 }, { blocklist: "vpn", description: "VPN service hosting", id: 54 }, { blocklist: "tor", description: "Tor exit node", id: 55 }, { blocklist: "spam-bot", description: "Forum, blog or other website spammer", id: 58 }, { blocklist: "bot", description: "IP connected to a known honeypot", id: 59 }, { blocklist: "bot", description: "Brute force bot (SSH)", id: 60 }, { blocklist: "bot", description: "Brute force bot (SMTP)", id: 61 }, { blocklist: "bot", description: "Brute force bot (Apache HTTP)", id: 62 }, { blocklist: "bot", description: "Brute force bot (Website Logins)", id: 66 }, { blocklist: "exploit-bot", description: "Hacking, exploit or other attack source", id: 67 }, { blocklist: "bot", description: "Scanning or brute force attacks (last 30 days)", id: 68 }, { blocklist: "bot", description: "Hacked IP or spam source", id: 69 }, { blocklist: "exploit-bot", description: "HTTP attack source", id: 73 }, { blocklist: "spam-bot", description: "Email/SMTP attack source", id: 74 }, { blocklist: "bot", description: "SSH attack source", id: 75 }, { blocklist: "bot", description: "Abuse source (hacking or spam)", id: 76 } ] }