RandAddressRandAddress

Aggregated IP Address Checker

Cross-check IP address across public IP intelligence sources, offline blocklists, ASN data, and geolocation providers to review its public risk signals.

Risk & IP type

Each provider checks for VPN, proxy, Tor, hosting, abuser, or fraud / abuse-confidence score.
6 sources
TN
techniknews
Geo plus simple proxy & hosting flags from TechnikNews' aggregator.
via browser
IS
ipapi_is
Geo plus VPN / proxy / Tor / hosting / abuser flags. Anonymous tier, 1000/day.
via browser
AB
abuseipdb
Crowdsourced abuse reports — confidence score 0–100 + total reports in the last 90 days.
via backend proxy
PC
proxycheck
Real-time VPN / proxy / Tor detection with 0–100 risk score and connection-type label.
via backend proxy
CS
crowdsec
Community CTI — categorical reputation (safe / suspicious / malicious) plus attacker behaviors.
via backend proxy
VT
virustotal
VirusTotal aggregator — 90+ engines vote malicious / suspicious / harmless on this IP. Risk score derived from absolute malicious-engine count: ≥3 = high (industry confirmed-bad threshold).
via backend proxy

Blocklist databases

Criminal infrastructure, botnet C2s, active attackers, and Tor exit relays.
6 sources

Geolocation per source

Where each geo provider thinks this IP is located.
2 sources
TN
techniknews
Geo plus simple proxy & hosting flags from TechnikNews' aggregator.
via browser
IS
ipapi_is
Geo plus VPN / proxy / Tor / hosting / abuser flags. Anonymous tier, 1000/day.
via browser

How the score works

0–100 risk score, broken down by signal class.
Risk bandsScore buckets that drive the verdict colour.
Safe015
Low1639
Medium4069
High70100
Scoring categoriesEach card shows max points + the strongest example signals.

Threat lists

max90

Curated criminal infrastructure, botnet C2s, and active-attacker IP ranges. Any hit floors the verdict at High.

  • Spamhaus DROP+90
  • Feodo Tracker+90
  • CINS Army+75

Anonymizer

max65

VPN, proxy, and Tor signals. Privacy networks aren't malicious by themselves but matter for login / payment / scraping checks.

  • Tor exit relay+65
  • Proxy flagged+50
  • VPN flagged+45

Reputation

max80

Third-party reputation engines: AbuseIPDB confidence, VirusTotal multi-engine analysis, CrowdSec verdict, proxycheck risk.

  • AbuseIPDB ≥ 75+80
  • VirusTotal ≥ 3 malicious engines+80
  • CrowdSec malicious+80

Network type

max25

Offline ASN registry classification. Cloud / hosting raises risk slightly; residential / mobile is neutral.

  • Data center / hosting+25
  • CDN / DNS / backbone+12
  • Search engine+8

Abuse behavior

max35

Active behavior signals — scanning, brute-forcing, recent abuse reports, bot detection.

  • CrowdSec scanning / bf+35
  • Recent-abuse flag+30
  • Bot status+20

IP Network Type Guide

How each network type maps to user-traffic risk.
LowestClosest a public IP gets to a real, individual user.
  • ResidentialHome broadband — the closest a public IP gets to a real, individual user. Caveats: residential-proxy networks, malware-infected home devices, and shared family routers all exist.
LowReal users behind shared egress — high account density on one IP is normal.
  • BusinessCorporate / office egress. Real employees behind a shared NAT — the same IP routinely produces many legitimate accounts.
  • Mobile networkMobile carrier 4G / 5G. Real users, but CGNAT means thousands may share one IP — high account density on mobile IPs is normal, not suspicious.
  • EducationSchool or university network. Mostly real students and staff, but expect lab servers, student projects, and the occasional rogue scanner.
  • GovernmentGovernment / public-sector network. Real users; only treat as risky if your service has policy reasons not to serve government traffic.
IndeterminateNot enough evidence to classify — lowers verdict confidence rather than escalating risk.
  • UnknownASN not in our offline registry — not enough evidence to classify. Lower the verdict's confidence, but don't escalate risk on this signal alone.
Context-dependentRisk depends on the endpoint hit. Verify the actor before trusting the IP.
  • Search EngineLegitimate for content crawls; suspicious on login, signup, payment, or write APIs. Verify via reverse DNS that the IP is actually the bot it claims to be.
Medium–HighShouldn't normally appear as a client IP — suspect proxy, anti-detect tools, or wrong IP extraction.
  • CDNCDN edge networks shouldn't normally surface as a client IP. When they do, suspect a forward proxy, an anti-detect tool, header spoofing, or incorrect client-IP extraction.
  • Public DNSPublic DNS resolver IPs shouldn't appear in web-visitor logs. Same red flags as CDN — proxy, header spoofing, or wrong IP extraction.
HighServer-class IPs. Heavily correlated with bots, scrapers, and bulk automation.
  • BackboneTier-1 transit / backbone provider. Almost never a direct end-user access line.
  • Data CenterCloud or data-center IP. Common with bots, scrapers, credential stuffing, and bulk signups. Also legitimate corporate VPNs, dev environments, and cloud desktops — not reason enough to block alone.
  • HostingSmaller VPS or dedicated hosting provider. Skews even more strongly toward server use than mainstream cloud — heavily correlated with automation and abuse.

IP Address Checker FAQ

We cross-reference the IP across three free public geolocation providers (FreeIPAPI, TechnikNews, ipapi.is), four reputation engines proxied through our backend (AbuseIPDB, VirusTotal, CrowdSec CTI, proxycheck.io), and six offline blocklists (Spamhaus DROP, Spamhaus ASN-DROP, Feodo Tracker, CINS Army, Blocklist.de, Tor Project Bulk Exit). Aggregating these gives you geolocation, ASN type, VPN / proxy / Tor flags, abuse and multi-engine threat-intel signals, and blocklist hits in one verdict.
A residential IP belongs to a home internet provider (Comcast, BT, etc.) and is typically assigned to a real home user's router. A datacenter IP belongs to a cloud or hosting provider (AWS, Google Cloud, Hetzner, OVH) and almost always represents a server, automation, VPN exit, or proxy — not a person sitting at a keyboard. We classify the IP into one of 12 categories using an offline ASN registry (residential / mobile carrier / business ISP / data center / hosting / CDN / DNS resolver / search engine / backbone / education / government / unknown), so you can tell at a glance whether a hit on this IP is plausibly a real user or just a server.
Yes. Every source we query accepts both IPv4 and IPv6. Just paste the address in the search box. Be aware that some IPv6 ranges have less reputation data than their IPv4 equivalents because the address space is so large — expect a slightly lower confidence number on IPv6 checks.
They're curated lists of IPs (or whole networks) tied to known-bad activity. We cross-reference your IP against six independent feeds: Spamhaus DROP (IPv4 + IPv6 networks under direct control of cybercriminals); Spamhaus ASN-DROP (entire autonomous systems run by hostile networks — matches the AS number, not the IP); Feodo Tracker (Emotet / Dridex / TrickBot / QakBot botnet command-and-control servers); CINS Army (IPs actively scanning, brute-forcing, or exploiting servers); Blocklist.de (last-48 h honeypot reports of attacking IPs); and the Tor Project Bulk Exit list (currently advertised Tor exit relays — a hit means the IP can leave the Tor network, not that the user is malicious). All matching happens locally in your browser; your IP is never sent to these providers.