IP Reputation Scores

πŸ“˜

IP Reputation Scores are only available on the Business plan and above.

IP reputation scoring provides a solution for a key weakness of blocklists based threat detection. Whereas blocklists are great for identifying repeat malicious actors they are static and cannot possibly contain every single bad IP.

To this end, ipdata combines machine learning expertise with millions of datapoints to calculate an IP reputation score for all IP addresses. Each score can have a value between 0 - 100.

NameDescription
vpn_scoreThe probability that an IP address is the exit-node of a commercial VPN service as a percentage
proxy_scoreThe probability that an IP address is a proxy as a percentage
threat_scoreThe probability that an IP address is likely to be a threat as a percentage
trust_scoreA score that expresses the trustworthiness, standing, or reputation of an IP address as a value between 0 - 100 with 60-100 constituting low risk, 40-60 moderate risk, and < 40 being high risk.

Example Request

curl https://api.ipdata.co/101.3.121.242/threat?api-key=<<apiKey>>
ipdata 8.8.8.8 -f threat

Sample Response

{
        threat: {
        is_tor: false,
        is_vpn: false,
        is_icloud_relay: false,
        is_proxy: false,
        is_datacenter: false,
        is_anonymous: false,
        is_known_attacker: false,
        is_known_abuser: false,
        is_threat: false,
        is_bogon: false,
        blocklists: [],
        scores: {
            vpn_score: 0,
            proxy_score: 0,
            threat_score: 1,
            trust_score: 100
        }
    }
}

FAQs

What does it mean when is_threat is false but threat_score is high?

If is_threat is false but the threat_score is high, it means that while the IP address is not currently known to be a threat, the scoring system has determined that it has a high likelihood of being a threat based on its reputation and behavior. The is_threat flag represents whether an IP address is listed in any of 100+ reputable blocklists that we track (these blocklists are listed in the blocklists field), whereas the threat_score provides a probability of the level of risk that an IP may pose.

It's possible that the IP has not yet been flagged as a threat, but the machine learning algorithms and reputation scoring system have identified it as having a high risk profile. In this case, further investigation may be necessary to determine if the IP is indeed a threat and to take appropriate action.

This applies to the other complementary fields as well i.e. is_vpn and vpn_score as well as is_proxy and proxy_score.

Why doesn't this detect my self-hosted VPN instance?

The IP reputation scoring system is trained to detect the exit nodes of commercial VPN services and not self-hosted VPN instances. This means that if you are using a self-hosted VPN, the scoring system may not detect it as a VPN, resulting in a low VPN score.

Note that if the VPN is hosted in the public cloud it's IP address will likely have a low overall trust score.