New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPN IP check
Seems like VPNs / proxies could cause problems these days on forums where people like to have different "identities" / "aliases". With some motivation, I went and looked for ASNs which provides web/vps/dedicated hosting service (that are not ISPs) and saved their IPv4 prefixes in a "database".
http://check.getipaddr.net/check.php?ip=IPHERE Returns a value between 0-1 on how likely the given IP address is a proxy/VPN Returns negative values on error Error codes: -1 Invalid no input -2 Invalid IP address (ipv6 is not supported) -3 Unroutable address / private address -4 No dynamic server could be reached for your request
This information may not be 100% correct - Please PM me if there's a mistake. If you know some hosting IP that's not recognized as a proxy, PM me the IP and I'll look into it.
As mentioned in the title, it's a work in progress, hopefully it'll be more accurate as it develops.
Thanks to @Cakey for sharing apart of his list with me 
Edit: (mikho)
For more information, please visit http://check.getipaddr.net
Comments
@OP:
http://check.getipaddr.net/check.php?ip=127.0.0.1 returns -2
http://check.getipaddr.net/check.php?ip=10.0.0.1 returns 0
There's also no IPv6 support it would seem [all returns -2]
That's what I've noticed so far, will continue testing.
Yes, this is correct. I don't manually check if the IP addresses are routable, just to see if they're in the DB. As for 127.0.0.1, don't really want people messing with that, so I took some precautions with that IP address. IPv6 is another dragon to slay at another time.
I'm mainly interested in end point IP addresses, so IPs that belong to L3, above.net, cogent / etc which are involved in transit, I don't care too much about.
I'm impressed, most of my VPN's are listed - even the obscure ones.
I would see another threat being the P2P networks like Tor, I2P, etc and of course when IPv6 address come into being.
Yep, that's what I'm planning on for the next phase
You can get tor's from dantor, however, i post here from voxility or prometeus pretty often and my home fixed line is also a tor exit, does this mean i will have to get a dedicated link or use only the phone to post on some forum?
My VPS ip i use for SSH tunnel shows up as home. You can also check on http://lookupffs.com
No. If anyone implements this on their website to check for bad users, they should use this during the sign up phase (aka if a user tried to sign up on a proxy, alert a mod). VPNs are definitely useful if you're on a public network so it has a purpose, but some people like to get on VPNs and make new accounts for new "aliases" so it doesn't link back to their other accounts. Also, as this project is in the early phases of development, I do not recommend it for production use and the results should be taken with a grain of salt.
Cool site. I looked at this before and it didn't recognize some of my servers as potential proxies so I didn't think it was reliable. Perhaps I should probe this site for information as well, it probably has some ASNs I haven't blocked yet. If the script is returning 0 for your SSH tunnel, want to share the ASN with me in PM?
If logic can be considered as true which it is, it can be added as something like maxmind strategy of calculation of risk factor points, the above should add some points if origin ip is from a server provider. May be someone should ask maxmind to add this as feature.
returns -2
I'd have to look at that later on. This however, costs $0 for 1000 queries
returns -2 if didn't put in a valid IP address (IPv6 isn't supported yet)
On another note, I've done a bit more with proxy detection so it's smarter / more dynamic. If it thinks the IP is a proxy with the dynamic check, it doesn't return a 0 or a 1, but something else
This is a great service - it'll be helpful for one of the sites that I run. I would be interested in helping to make a DNS-based version of this - for example for IP address 1.2.3.4 you would do a DNS query for 4.3.2.1.check.ipaddr.net and it returns NXDOMAIN for clean IPs, 127.0.0.1 for known ISPs, 127.0.0.2 for known tor nodes, etc. It would be useful for applications where an HTTP request is undesirable for whatever reason.
I like this result http://check.getipaddr.net/check.php?ip=8.8.8.8
Anyone got this?
Heh. That's the dynamic proxy check kicking in and thinks it's a proxy, but since it's not in the proxy list, it returns that instead of "1".
0.5 would be better.
You're probably right. There's actually two dynamic checks so I need to figure out the weights on these. LowEndMaxMind, here I come.
Edit: So I modeled this as a "reliability in a parallel system", each dynamic check is given a reliability of R_i. At the end, the reliability of the system is calculated, which should produce something more accurate than fry squinting. Note that my initial post of "returns 1 if proxy, 0 otherwise" is no longer true. It will return a value between [0-1].
I'll add the tor proxy check later tonight.
Edit 2: Added Tor.
Why didn't you tell me you were making something <_>, I might be able to give you my full list.
Nice, I'll probably make my gameservers query it on every new player connection to detect possible ban evaders. Thanks!
Ehh, I don't like to take other people's work and advertise it as my own... plus people that use your site might start using this one just to see if they're banned before they try to ban evade. Doing this was never planned, I looked around and didn't see any good free alternatives to blocked / maxmind so I made my own.
I added 1 more dynamic check feature earlier today. There's now 3 distinctive attributes that gets tested dynamically and a probability between 0-1 is generated by modelling it as a parallel reliability system which should be fairly accurate. I'll add caching later tonight. As always, if there's any bugs, please PM me.
Edit: Added caching. Cache is dumped every 48 hours
I wonder if there's a way this could incorperated on a linux server to check any incoming connection and deny it if it's a proxy
Not good. We want SSH access to other servers from non-isp address ranges.
I got 0.6 for my residential IP, 0.6 for the IP - 1, 0 for the IP + 1, all in the same IP allocation.
Nice tool btw, if you can finely hone it to reasonable accuracy I know a bunch of people who'd run it.
Yes, these are dynamic checks kicking in. If an IP is not explicitly banned, 3 unique checks are used to see if it has characteristics of a server/VPN, that home networks don't usually have. Looks like your IP and another on the same IP block triggered 1/3. Some people run public / private VPNs from home.
Since it generates a value based on how sure it is of a proxy, 60% is pretty low on the scale and it's up to the person who uses this script to set limits on what he/she wants. I have 60-90% on warn (logged for manual check), 90%+ will actually trigger it.
0.9 for my home DSL line.
I looked into this. One of the dynamic checks look for stats of neighbor IPs. An IP in the same /24 as yours is hosting websites, which was flagged as "abnormal" since residential ISPs do not host websites. One more dynamic check also said it might be a proxy, if you're curious on that one I'll PM you and tell you why. 2/3 hits yielded a score of 0.90.
Would be best if you could have SSL on check domain.
Perhaps later, no point of doing that now since all the information is public (no logins, API keys or anything like that).
Automated system sending customer's IP to your API, maybe worth protecting it after beta stage.
Yep, will do that once it's good for production level. And to get there...
I added 1 more dynamic check. It looks at the smallest IP block that's announced by the AS for A records to domains. If there are at least 10 IPs & the ratio of domains to IPs is > 0.10, it's an indication that the IP belongs to a web host of sorts.
For example: http://bgp.he.net/net/72.215.136.0/21#_dns has 9 domains, 1016 IP addresses, yields a ratio of .00885
http://bgp.he.net/net/104.36.80.0/21#_dns has 58 domains, 58 IP addresses, yields a ratio of 1.00
As you can see, these networks are completely different. A value of 65% is assigned to the IP if the ratio is > 10%. Now, there's a total of 4 unique dynamic checks in place.
In terms of redundancy, 3 dedicated worker nodes are used for dynamic checks. If one fails, the system will remove it from the available worker list. For the next phase, I'll implement my cloudflare backup script, so if check.getipaddr.net goes down, it'll automatically switch to a fail-over server.
Enjoy!