Check if a user is on a vpn / proxy

black

New Member
I made a tool that allows admins see how likely an IP address is a proxy/VPN IP. The system returns a probabilistic value of how likely an IP address is a proxy / VPN.

This should help forum admins, online shops, etc. If you have problems with people bypassing bans / trolls / fraud prevention, this tool should be useful. 

I hear that maxmind doesn't classify VPNs / proxies as high risk so this might be useful as another layer of detection.

The proxy check system uses:

  • 2 static files (manually updated)
  • 1 dynamic file
  • 6 unique dynamic checks
  • 1 cached IPs file (to reduce the number of dynamic check queries)

Here's the full documentation / readme - http://check.getipaddr.net/

The proxy check system has served 175k unique IP lookups in the past ~2 months, and the system is out of the development stage.
 

drmike

100% Tier-1 Gogent
Interesting project @black.
 
One point to expand upon your good work.
 
Unsure if it's a feature, but make the API support NO IP provided, so you are checking the requesting parties own IP address.  Good for those of us wanting to check own IP from time to time to make sure such is "clean" without doing extra step(s) to do self detect of public IP.
 
http://check.getipaddr.net/check.php?ip=

Also expand your project to not check IP but echo their IP as another API flag extension.
 
Last edited by a moderator:

black

New Member
Interesting project @black.


One point to expand upon your good work.


Unsure if it's a feature, but make the API support NO IP provided, so you are checking the requesting parties own IP address.  Good for those of us wanting to check own IP from time to time to make sure such is "clean" without doing extra step(s) to do self detect of public IP.

http://check.getipaddr.net/check.php?ip=


Also expand your project to not check IP but echo their IP as another API flag extension.
Thanks for the recommendations. You can visit http://check.getipaddr.net/check.php without giving the parameter "ip" and it'll check your own IP address. As for echoing your own IP address, you can just go to http://getipaddr.net (which is curl and wget friendly)
 

devonblzx

New Member
Verified Provider
I'm kind of curious as to how it works.   I know you may not want to release that information.  I only received 0's and 1's on the IPs I tested, it looks like there is supposed to be a score between 0 and 1 for most addresses though.

I'm curious as to how common false positives are.  Does it search the ASN / net block / ports opened, etc?
 

black

New Member
I'm kind of curious as to how it works.   I know you may not want to release that information.  I only received 0's and 1's on the IPs I tested, it looks like there is supposed to be a score between 0 and 1 for most addresses though.

I'm curious as to how common false positives are.  Does it search the ASN / net block / ports opened, etc?
I have 2 static ban lists. One takes CIDRs and the other takes in AS numbers. The content of these lists are manually added. If an IP is on one of these lists, then they are explicitly banned so the system returns 1. The dynamic file is a list of tor IPs, updated every few hours, which is also explicitly banned and will return a value of 1. If the IP address isn't on any of these lists, it'll go ask a slave node to do a dynamic check on the IP. A dynamic check looks for characteristics of a proxy/VPN IP would have and residential IP wouldn't have. For example if multiple IPs in the /24 are hosting a bunch of websites, then we can say with some probability that this IP is a proxy/VPN. That's just 1 dynamic check. There are 5 more other unique ones the proxy check system uses, each will return a different probability. The slave node will return these 6 probabilistic values, then it'll be modeled as a reliability system in a parallel configuration where ri is the reliability of characteristic [SIZE=12.222222328186px]i[/SIZE]. I don't mind discussing how the system works but I do not wish to disclose all the characteristics I look in a dynamic check for for obvious reasons. You'll get a value of 0 if the characteristics of the IP address doesn't appear to be a proxy / VPN (determined by the proxy check system).

So basically, if the IP isn't explicitly banned, the system will look for characteristics of the IP to determine how likely it is to be a proxy/VPN.
 
Last edited by a moderator:

RTGHM

New Member
Well, I see it doesn't like my non-proxy IP.

Was picked up as 1 instantly, and my actual proxy was picked up as 0
 

black

New Member
So why do you have a AAAA record? What's the point of having it accessible over IPv6 if it doesn't work properly?
There's no AAAA record for check.getipaddr.net but I use cloudflare's "automatic IPv6" feature. This allows getipaddr.net work with ipv6.
 

trewq

Active Member
Verified Provider
There's no AAAA record for check.getipaddr.net but I use cloudflare's "automatic IPv6" feature. This allows getipaddr.net work with ipv6.
The record is there... It means if you try and get the score on your own IP and you're running dual stack, it won't work.
 

black

New Member
The record is there... It means if you try and get the score on your own IP and you're running dual stack, it won't work.
Yeah, the AAAA record is cloudflare's IPs. It's a cloudflare feature. I did not explicitly add an AAAA record for check.getipadr.net and I can't turn it off for a specific subdomain.

Are you using some sort of NAT VPS with IPv6 addresses? In Debian you can set prefer IPv4 by editing 


/etc/gai.conf
and add the following line

Code:
precedence ::ffff:0:0/96  100
 
Last edited by a moderator:

trewq

Active Member
Verified Provider
Yeah, the AAAA record is cloudflare's IPs. It's a cloudflare feature. I did not explicitly add an AAAA record for check.getipadr.net and I can't turn it off for a specific subdomain.


Are you using some sort of NAT VPS with IPv6 addresses? In Debian you can set prefer IPv4 by editing


/etc/gai.conf
and add the following line
Code:
precedence ::ffff:0:0/96  100
Ah ok, thought you could in cloudflare. Nope, native on home connection.
 

black

New Member
Ah ok, thought you could in cloudflare. Nope, native on home connection.
Ah ok. Well if you're using any Debian based linux distro, changing gai.conf should use your ipv4 address. I'm sure it's something similar in other *nix flavors. I'm not too sure about windows.
 

trewq

Active Member
Verified Provider
Ah ok. Well if you're using any Debian based linux distro, changing gai.conf should use your ipv4 address. I'm sure it's something similar in other *nix flavors. I'm not too sure about windows.
This was actually on Android. It's not an issue anymore, just thought it seemed silly to have it IPv6 accessible when it doesn't work with IPv6.
 

KuJoe

Well-Known Member
Verified Provider
For those who want to integrate this into a PHP script, here's the code I use for my control panel:


if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) != true) {
$proxychk = file_get_contents("http://check.getipaddr.net/check.php?ip=".$ip."");
} else {
$proxychk = '-2';
}
echo $proxychk;
Works nicely with FraudRecord for quick screening without having to spend any money.
 
Last edited by a moderator:
Top