← All posts
2025-12-01  ·  6 min read

How to Detect VPNs, Proxies, and Tor Exit Nodes via IP

VPNs, proxies, and Tor are legitimate privacy tools. But they are also commonly used to bypass geo-restrictions, commit fraud, or mask automated attacks. Knowing whether an IP belongs to a VPN server, open proxy, or Tor exit node is a valuable signal for fraud detection, content enforcement, and security monitoring.

Why Detection Is Useful

Consider these scenarios:

  • An e-commerce site wants to flag orders from high-risk VPN IPs for manual review.
  • A streaming platform needs to enforce regional content licences.
  • A SaaS product wants to detect credential-stuffing attacks originating from Tor.
  • An analytics tool wants to exclude known proxy traffic from user session data.

In all these cases, querying an IP intelligence API at request time gives you the signal you need without building and maintaining your own blocklists.

Detection Signals

Proxy and VPN Flags

ip-api.com (the geolocation source used by ResolvIP) classifies IPs using several boolean flags:

  • is_proxy — generic proxy flag: open proxies, web proxies, residential proxies.
  • is_hosting — the IP belongs to a hosting, cloud, or data-centre provider. High correlation with VPN exit nodes and bots.
  • is_mobile — carrier mobile network. Rarely a fraud signal by itself, but useful context.

Tor Exit Nodes

The Tor Project publishes its exit node list at https://check.torproject.org/torbulkexitlist. ResolvIP downloads this list on startup and refreshes it every 6 hours. Any IP on this list is flagged is_tor: true in the response.

Cloud Provider Detection

Many VPN providers run on AWS, GCP, and similar platforms. ResolvIP checks the queried IP against the official IP range lists published by AWS, Google Cloud, and Cloudflare. If a match is found, the cloud_provider field is populated and is_hosting is set to true.

Threat Intelligence Blocklists

ResolvIP checks IPs against:

  • Feodo Tracker (abuse.ch) — known botnet C2 server IPs.
  • Firehol Level 1 — a curated blocklist of the most dangerous IPs on the internet, updated daily.

Using the ResolvIP API

The full enrichment endpoint returns all signals in a single request:

GET https://api.resolvip.net/ip/185.220.101.45

{
  "ip": "185.220.101.45",
  "version": 4,
  "is_private": false,
  "is_bogon": false,
  "ptr": "tor-exit.example.org",
  "flags": {
    "is_proxy": false,
    "is_hosting": false,
    "is_mobile": false,
    "is_tor": true,
    "cloud_provider": null
  },
  "reputation": {
    "is_abusive": true,
    "threats": ["tor_exit_node"],
    "sources": ["Tor Project"]
  }
}

Or query just the reputation:

GET https://api.resolvip.net/ip/185.220.101.45/reputation

{
  "is_abusive": true,
  "threats": ["tor_exit_node"],
  "sources": ["Tor Project"],
  "cloud_provider": null
}

False Positives and Limitations

No detection system is perfect. Some caveats:

  • Residential proxies use IP addresses allocated to real households, making them hard to distinguish from legitimate consumer traffic without behavioural signals.
  • New VPN exit nodes may not appear in blocklists for 24–48 hours after deployment.
  • Corporate proxies may be flagged as proxies even though they represent legitimate business users.
  • Shared hosting IPs may be flagged as hosting even if the request is from a real user on a cheap shared-hosting plan.

Use these signals as one input among several. Combine IP intelligence with behavioural analysis, device fingerprinting, and account history for best results.

Ready to query IP intelligence in your own application? Get a free API key →