How GeoIPHub classifies an IP address.

Every IP belongs to an autonomous system, and the AS tells you a lot before you look at anything else. GeoIPHub maintains a curated table of 890 hosting ASNs — networks whose business is renting servers, not connecting households — plus 14 ASNs operated by VPN providers, and separate tables for satellite, anycast, and CDN networks.

The BGP/ASN table is rebuilt every 3 days from the global routing table, so an IP that moves between networks is reclassified within days, not quarters.

Where an operator publishes its own infrastructure, we use that publication directly — it is the strongest evidence available. Server lists are pulled from 10 VPN providers' own published APIs: NordVPN, Mullvad, Surfshark, Private Internet Access, Windscribe, AirVPN, IVPN, PrivadoVPN, Riseup, and FastestVPN. An IP on one of these lists is attributed by name in detection.vpn_provider.

The same principle covers clouds and crawlers. Official IP ranges come from 10 cloud providers — AWS, Google Cloud, Azure, Oracle, Cloudflare, Fastly, GitHub, DigitalOcean, Linode, and Alibaba. Crawlers and AI bots are verified against 9 official IP-range feeds: Googlebot, Google Special Crawlers, Bingbot, Applebot, DuckDuckBot, GPTBot, ChatGPT-User, OAI-SearchBot, and CCBot. Tor exits come from the Tor Project's official exit list, and privacy relays are matched against iCloud Private Relay and Cloudflare WARP ranges.

Lists tell you what an IP was. A handshake tells you what it is. The scanner attempts real protocol handshakes on 25+ ports across 11 VPN and proxy protocols: OpenVPN, WireGuard, IKEv2, PPTP, L2TP, Shadowsocks, SOCKS5, SOCKS4, HTTP CONNECT, and HTTP forward proxies.

A completed handshake is close to conclusive: a server that answers an OpenVPN handshake on a reachable port is running OpenVPN, whatever its WHOIS record says. This is why GeoIPHub flags VPN and proxy infrastructure only after verification — a probe result, a provider list match, or both — rather than inheriting someone else's stale label.

Threat flags come from public feeds we name, so you can audit them yourself: Spamhaus DROP and EDROP for hijacked and criminal-controlled ranges, FireHOL Level 1 for aggregate attack sources, Feodo Tracker for botnet command-and-control servers, and Team Cymru's bogon data for unallocated space that should never appear as a source address. All are refreshed daily.

Each IP is additionally checked against 4 DNS blocklist zones; the response's dnsbl_sources field names every zone that listed it. Known internet-wide scanner ranges — including Shodan and Censys — are flagged separately as scanners, because measurement traffic is not the same as attack traffic.

Registration records are pulled over RDAP from all 5 Regional Internet Registries — ARIN, RIPE, APNIC, LACNIC, and AFRINIC — and analyzed against 46 VPN keywords and 27 hosting keywords. Infrastructure registered as "VPN hosting services" rarely hides it in its registry record.

Keyword matches surface as has_vpn_keywords and has_hosting_keywords in the whois group. They are weighted as supporting evidence, never as a sole reason to flag.

PTR records are resolved for every IP and validated with forward-confirmed reverse DNS: the hostname the PTR claims must resolve back to the same IP. A PTR that fails forward confirmation is just a string anyone could have set — FCrDNS is what separates evidence from decoration.

Validated PTR patterns feed crawler verification (a real Googlebot has a Google PTR and sits in Google's published ranges) and spoof detection (a "Googlebot" PTR outside those ranges sets crawler.spoofed).

When a lookup hits an IP that isn't in the database yet, the request doesn't fail and it doesn't get a guess. The Rust scanner classifies the address live — registry data, list matches, probes — in under 2.5 seconds, returns the result, and persists it. Every subsequent lookup of that IP is served from the memory-mapped database in sub-millisecond time.