IP Address API
Author | Nikolai Tschacher (incolumitas.com) |
API Access | Free & unlimited (fair use) |
API Version | v0.9.24 (8th June 2023) |
API Endpoint | https://api.incolumitas.com/?q=3.5.140.2 |
Total Tracked Hosting Providers | 15971 hosting providers |
Number of Ipv4 Addresses | 288,312 IPv4 CIDR ranges (691,658,406 Addresses in total) |
Number of Ipv6 Addresses | 288,915 IPv6 CIDR ranges (1.660367387226822e+33 Addresses in total) |
Live API
Examples: 165.227.176.0 — 43.181.128.0 — 143.81.28.0 — 20.1.28.0 — 194.126.177.0 — AS209103 — 23.236.48.55 — 2600:1F18:7FFF:F800:0000:ffff:0000:0000 — 107.174.138.172 — 107.152.214.169 — 2a02:0f58:0004:0300:0216:3eff:fec2:a1f
{
"message": "Please make an API request",
}
Change Log
Coming Soon
- Soon a proprietary, self made geolocation database will be added to the API. This db will use the
geofeed
andgeoloc
attributes of WHOIS data (Learn more about "geoloc" attribute) Other data sources will be also used to build the geolocation database. - The hosting detection algorithm is being updated and will soon run again to produce more accurate and better
is_datacenter
results - A full WHOIS crawl will be conducted for RIPE and APNIC to enhance WHOIS data coverage. Scraping WHOIS data from RIPE and APNIC is rather cumbersome, since they block aggressively.
- If you have a high request volume, please contact me. The API is here to stay and will improve substantially in the near future.
2nd April 2023
- API is now running on 3 parallel clusters and can serve roughly 30 million request per day.
- For March 2023, the time was wrong for the fields
local_time
andlocal_time_unix
(Mostly because of DST). This was fixed for good now. - Added
is_dst
field togeolocation
object. It is true if DST is active in the IP address timezone. - Added
timezone
field to thegeolocation
object. It represents the timezone of the IP address time. Example:Europe/Berlin
- Fixed erroneous output in
geolocation
object for IPv6 - Renamed field
possible_other_location
toother
in thegeolocation
object. This was done in order to save space. - Added proprietary list mostly for
is_datacenter
andis_abuser
11th December 2022
- Now serving daily 1M requests
- Introduced the
is_vpn
flag (Mostly using github.com/X4BNet/lists_vpn as data source) - Added self published cloud IP ranges from
Alibaba Cloud
,SAP Cloud
,Servicenow Cloud
- Upgraded to more powerful server (16GB RAM, 4vCPU)
- TODO: Run Node.js HTTP Express.js Server on Multiple CPU Cores in order to deal with high load
2nd December 2022
- Many thousands of new cloud/hosting providers being tracked
- Added iCloud Private Relay IP ranges
- Geolocation time's was wrong because of DST change in North America
- Updated whole database
30th October 2022
- Better geolocation information
- Updated whole database
- Updated this API documentation page
30th September 2022
- Moved the API to a dedicated server. There will be much fewer service disruptions from now on
- Added more detailed geolocation information
- Updated whole database
- Added LACNIC organization information
- Added field
type
toasn
objects. Possibleasn
type
values:hosting
,education
,goverment
,banking
,business
,isp
- Updated this API documentation page
- Info: The API has passed 10 Million requests
11th September 2022
- Updated this API documentation page to reflect that the API is no longer only a datacenter IP address API, but a more generic and powerful IP API
21th August 2022
- Added country specific geolocation information
- Updated datacenter ranges and added new datacenters
- Now providing company information for almost all active networks in the Internet
- Providing organization and abuse meta information for each of the 79247 active ASN's
30th July 2022
- Added hundreds of new datacenters (Now 496 datacenters in the database)
- Added basic country geolocation for each IP (In the attribute
location
) - Server is now faster and has more RAM (no more downtime)
- Updated this documentation page
26th July 2022
- Updated this documentation page
- The API provides now AS (Autonomous System) information for each looked up IP address (in the attribute
asn
) - The API provides information about the Regional Internet Registry to which the looked up IP belongs (in the attribute
rir
) - Added a huge amount of new hosting providers / datacenters to the API
5th June 2022
- Added APNIC whois data to database
- Updated database in general
- added API endpoint /info
20th March 2022
- Improved API
- Remove the
service
attribute in API output. Only attribute that identifies the cloud provider is nowdatacenter
- Add bulk IP lookup mode. Allow up to 100 ips in bulk lookup mode. Only return datacenter IP addresses. Uses POST method. Ignore Invalid IPs
14th March 2022 and 15th March 2022
- Added 39,246 IPv4 and 360,372 IPv6 CIDR ranges ranges to the database from AFRINIC, RIPE-NCC, APNIC, ARIN and LACNIC whois databases.
- Some Examples: Lookup of Cloudflare IP, Lookup of M247 Ltd IP , Lookup of Packethub S.A. IP, Lookup of Leaseweb IP
- Added the following datacenters to the API:
XT Global Networks LTD
,OVH
,myLoc
,ServiHosting Networks S.L.
,Clouvider Limited
,Hetzner Online
,GoDaddy Operating Company, LLC.
,Claranet limited
,Selectel Ltd.
,M247 Ltd
,Imperva, Inc.
,Beget
,trueserver.nl
,1&1 Internet
,DediPath
,iomart Hosting Ltd
,Aruba S.p.a
,Strato AG
,DataCamp Limited
,Rackspace, Inc.
,Reg.Ru Hosting
,Heficed
,LeaseWeb
,Mittwald
,The Constant Company, LLC
,American Internet Services
,Hostinger
,PlusServer GmbH
,Equinix, Inc.
,GHOSTnet GmbH
,It7 Networks Inc
,xservers.ro
,Cloudflare
,IBM Cloud
,iWeb Technologies Inc.
,SysEleven SysEleven GmbH
,G-Core Labs S.A.
,Tencent Cloud
,Choopa, LLC.
,DigitalOcean
,Webair Internet Development Inc
,Hostway
,Phoenix NAP, LLC
,Contabo GmbH
,A2 Hosting
,Zenlayer
,Optimate Server
,LogicWeb Inc.
,Packethub S.A.
,MULTACOM Inc.
,veesp.com vps clients
,Sakura Internet Inc.
,Zscaler, Inc.
,Vultr Holdings LLC
,Enzu Inc.
,24Shells Inc
,GZ Systems (PureVPN)
,HIVELOCITY, Inc.
,Transip Bv.
,Host Europe
,Internap Corporation
,IP Exchange GmbH
,Datapipe
,Savvis
,home.pl S.A.
,Redstation Limited
,hosting.ua
,Daou Technology
,Linode
,Amazon AWS
,kinx.net
,Dreamscape
,Xneelo (Pty) Ltd
,Fiber Grid Inc
,Performive LLC
,Microsoft Azure
,UCloud
,Hostgator
,Hostwinds.com
,Namecheap
,Stackpath, LLC
,ALL INKL
,Online SAS (Scaleway)
,ServerCentral
,Quadranet, Inc
,FDC Servers
,ColoCrossing
,Aptum Technologies
,Sharktech Inc.
,Wholesale Internet, Inc
,Dreamhost
,Pair Networks
,ServerHub
,Psychz Networks
,CoreSpace,Inc.
,Cologix, Inc.
,Colocation America Inc
,ServerMania Inc.
,Peak10
,Google Cloud
,Fasthosts Internet Ltd
,latisys
,Mullvad VPN
,InMotion
,Unified Layer
,Fastly, Inc.
,Ubiquity Hosting
.
11th March 2022
- Added bulk IP lookup mode, up to 100 IP addresses can be queried with one API request
- Added fast IPv6 lookup support (Speedup of factor
883x
, average lookup time now0.056ms
instead of49.99ms
)
9th March 2022
- Added
cidr
attribute to the API output - Improved API performance for IPv4 (IPv6 still pending), the performance is now 1500x times faster on average (Average lookup time before:
100.37ms
, average lookup time now0.068ms
)
8th March 2022
- Added cloud service providers / hosting providers / VPN service providers:
Linode
,Mullvad VPN
,B2 Net Solutions Inc.
,scaleway.com
,Vultr Holdings, LLC
,The Constant Company, LLC
,QuadraNet Enterprises LLC
,Zscaler, Inc.
,CloudCone, LLC
,Psychz Networks
,BuyVM Services (buyvm.net)
,DataCamp Limited
,ColoCrossing
,IT7 Networks Inc.
,G-Core Labs S.A.
,AlmaHost Ltd
,Reg.Ru Hosting
,Packethub S.A.
,Clouvider Limited
,24Shells Inc
,Performive LLC
,Packet Host, Inc.
,veesp.com vps clients
,tzulo, inc.
,Cluster Logic Inc
,Owl Limited
,HIVELOCITY, Inc.
,SysEleven SysEleven GmbH
- Added lookup time in
ms
to the API output as attributeelapsed_ms
- Updated this API page
- Updated all IP address ranges
6th November 2021
- Updated all IP address ranges
- Add cloud provider
m247 Ltd
,servers.com Inc.
,Leaseweb Usa Inc.
, often used for proxies/fraud - Checking for common datacenter in
whois
lookup
29th September 2021
- Updated all IP address ranges
- Added dedicated API endpoint: https://api.incolumitas.com/datacenter?ip=3.5.140.2
- Old API Endpoint: https://abs.incolumitas.com/datacenter?ip=1.2.3.4
Documentation
This IP address API returns useful meta-information for IP addresses. For example, the API response includes the organization of the IP address, ASN information and geolocation intelligence and WHOIS data.
Furthermore, the API response allows to derive security information for each IP address, for example whether an IP address belongs to a hosting provider (is_datacenter
), is a TOR exit node (is_tor
), if an IP address is a proxy (is_proxy
) or VPN (is_vpn
) or belongs to an abuser (is_abuser
).
This API strongly emphasizes datacenter/hosting detection. A complicated hosting detection algorithm was developed to achieve a high detection rate. Thousands of different hosting providers are tracked. Whois records, public hosting IP ranges from hosting providers and a proprietary hosting discovery algorithm are used to decide whether an IP address belongs to a datacenter or not.
The API furthermore includes accurate and rich ASN meta data. For instance, the API includes raw whois data for each active ASN. Fields such as the ASN type
are derived by analyzing the company that owns the autonomous system.
Quickstart
Lookup any IP address: https://api.incolumitas.com/?q=3.5.140.2
Lookup your own IP address: https://api.incolumitas.com/
Usage with JavaScript:
fetch('https://api.incolumitas.com/?q=23.236.48.55')
.then(res => res.json())
.then(res => console.log(res));
Usage with curl
:
curl 'https://api.incolumitas.com/?q=32.5.140.2'
Introduction
The IP address API makes use of the following data sources:
- Public whois records from regional Internet address registries such as RIPE NCC, APNIC, ARIN and so on
- Public BGP routing table data for ASN lookups
- Public blocklists such as firehol/blocklist-ipset
- The API uses a proprietary datacenter/hosting detection algorithm
- Other open source projects that try to find hosting IP addresses such as github.com/client9/ipcat, github.com/Umkus/ip-index or https://github.com/X4BNet/lists_vpn are also considered
- The API uses IP threat data from various honeypots
- IP geolocation information from several different geolocation providers is used. By using more than one geolocation source, a more accurate location can be interpolated.
- A proprietary geolocation database is built from scratch. Gelocation data is sourced from whois data. For example, some Regional Internet Registries such as APNIC support the
geofeed
andgeoloc
property in whois records.
API Features
- Ready for production: This API can be used in production and is stable
- Many datacenters supported: Thousands of different hosting providers and counting - From Huawei Cloud Service to ServerMania Inc. Find out whether the IP address is hosted by looking at the
is_datacenter
property! - Always updated: The API database is automatically updated several times per week.
- ASN support: The API provides autonomous system information for each looked up IP address
- Company Support: The API provides organizational information for each network of each looked up IP address
- Bulk IP Lookups: You can lookup up to 100 IP addresses per API call
ASN Database
For offline ASN data access, the ASN Database is provided. The ASN database includes all assigned and allocated AS numbers by IANA and respective meta information. The database is updated several times per week. For active ASN's (at least one route/prefix assigned to the AS), the database includes rich meta information. For example, the provided information for the ASN 50673
would be:
"50673": {
"asn": "50673",
"org": "Serverius Holding B.V.",
"domain": "serverius.net",
"abuse": "abuse@serverius.net",
"type": "hosting",
"created": "2010-09-07",
"updated": "2022-11-15",
"rir": "ripe",
"descr": "SERVERIUS-AS, NL",
"country": "NL",
"active": true,
"prefixes": [
"2.59.183.0/24",
"5.56.133.0/24",
// many more IPv4 prefixes ...
],
"prefixesIPv6": [
"2001:67c:b0::/48",
"2a00:1ca8::/32",
// many more IPv6 prefixes ...
]
},
The database is in JSON format. The key is the ASN as int
and the value is an object with AS meta information such as the one above.
Click here to download the ASN Database
How to download & parse the ASN database?
Download and unzip the ASN database:
cd /tmp
curl -O https://raw.githubusercontent.com/NikolaiT/IP-Address-API/main/databases/fullASN.json.zip
unzip fullASN.json.zip
And parse with nodejs:
let asnDatabase = require('./fullASN.json');
for (let asn in asnDatabase) {
console.log(asn, asnDatabase[asn]);
}
Hosting IP Ranges Database
Furthermore, the Hosting IP ranges Database is provided for offline and scalable access. This database contains all known datacenter IP ranges in the Internet. A proprietary algorithm was developed to determine if a network belongs to a hosting provider.
The file format of the database is tab separated text file (.tsv), where each line of the file contains the company
, network
and domain
of the hosting provider.
Example excerpt of the database:
Linode, LLC 178.79.160.0 - 178.79.167.255 www.linode.com
OVH Sp. z o. o. 178.32.191.0 - 178.32.191.127 www.ovh.com
myLoc managed IT AG 46.245.176.0 - 46.245.183.255 www.myloc.de
Click here to download the Hosting IP Ranges Database
How to download & parse the Datacenter database?
Download and unzip the Hosting Ranges database:
cd /tmp
curl -O https://raw.githubusercontent.com/NikolaiT/IP-Address-API/main/databases/hostingRanges.tsv.zip
unzip hostingRanges.tsv.zip
And parse with nodejs:
const fs = require('fs');
let hostingRanges = fs.readFileSync('hostingRanges.tsv').toString().split('\n');
for (let line of hostingRanges) {
let [company, network, domain] = line.split('\t');
console.log(company, network, domain);
}
API Response Format
The API output format is explained by walking through an example. Most of the returned information is self-explanatory.
This is how a typical API response looks like. The IP 107.174.138.172
was queried with the API call https://api.incolumitas.com/?q=107.174.138.172:
{
"ip": "107.174.138.172",
"rir": "ARIN",
"is_bogon": false,
"is_datacenter": true,
"is_tor": true,
"is_proxy": false,
"is_vpn": false,
"is_abuser": true,
"company": {
"name": "ColoCrossing",
"domain": "colocrossing.com",
"network": "107.172.0.0 - 107.175.255.255",
"whois": "https://api.incolumitas.com/?whois=107.172.0.0"
},
"datacenter": {
"datacenter": "ColoCrossing",
"domain": "www.colocrossing.com",
"network": "107.172.0.0 - 107.175.255.255"
},
"asn": {
"asn": 36352,
"route": "107.174.138.0/24",
"descr": "AS-COLOCROSSING, US",
"country": "us",
"active": true,
"org": "ColoCrossing",
"domain": "www.colocrossing.com",
"abuse": "abuse@colocrossing.com",
"type": "hosting",
"created": "2005-12-12",
"updated": "2013-01-08",
"rir": "arin",
"whois": "https://api.incolumitas.com/?whois=AS36352"
},
"location": {
"country": "United States of America",
"country_code": "US",
"state": "New York",
"city": "Buffalo",
"latitude": 42.8825,
"longitude": -78.8788,
"zip": "14202",
"timezone": "America/New_York",
"local_time": "2023-04-02T14:03:27-04:00",
"local_time_unix": 1680458607,
"is_dst": true
},
"elapsed_ms": 4.14
}
In the following section, the different parts of the API response are explained in-depth.
Response Format: Top Level API Output
The top level API output looks as follows:
{
"ip": "107.174.138.172",
"rir": "ARIN",
"is_bogon": false,
"is_datacenter": true,
"is_tor": true,
"is_proxy": false,
"is_vpn": false,
"is_abuser": true,
"elapsed_ms": 4.14
}
The explanation for the top level API fields is as follows:
Field ip
The field ip
has datatype string
.
It is the IP address that was looked up, in the example above it is 107.174.138.172
.
If no IP address was specified (Example: https://api.incolumitas.com/), the client's own IP address is looked up.
Field rir
The field rir
has datatype string
.
It specifies to which Regional Internet Registry the IP address belongs. Here it belongs to ARIN
, which is the RIR responsible for North America.
Field is_bogon
The field is_bogon
has datatype boolean
.
It determines if the IP address is bogon. Bogon IP Addresses is the set of IP Addresses not assigned/allocated to IANA and any RIR (Regional Internet Registry). For example, the loopback IP 127.0.0.1
is a special/bogon IP address. The IP address 107.174.138.172
is not bogon, hence it is set to false
here.
Field is_datacenter
The field is_datacenter
has datatype boolean
.
It specifies whether the IP address belongs to a datacenter or not. Here, we have the value true
, since 107.174.138.172
belongs to the hosting provider ColoCrossing
.
Field is_tor
The field is_tor
has datatype boolean
.
If the field is_tor
is true, the IP address belongs to the TOR network. This is the case here. Tor detection is accurate, so you can rely on the value of is_tor
. The API detects most TOR exit nodes reliably.
Field is_proxy
The field is_proxy
has datatype boolean
.
The field determines whether the IP address is a proxy. This is not the case here. In general, the flag is_proxy
only covers a subset of all proxies in the Internet.
Field is_vpn
The field is_vpn
has datatype boolean
.
The field determines if the IP address is a VPN. This is not the case with the IP 107.174.138.172
. In general, the flag is_vpn
only covers a subset of all VPN's in the Internet. It is not possible to detect all VPN exit nodes passively.
Field is_abuser
The field is_abuser
has datatype boolean
.
The field is_abuser
is true if the IP address committed abusive actions, which was the case with 107.174.138.172
. Various IP blocklists and threat intelligence feeds are used to populate the is_abuser
flag.
Open source and proprietary block lists are used in the API to populate the is_abuser
flag.
Field elapsed_ms
The field elapsed_ms
has datatype float
.
The field stores how much internal processing time was spent in milliseconds (ms). This lookup only took 4.14ms
, which is quite fast.
Response Format: The datacenter
object
"datacenter": {
"datacenter": "ColoCrossing",
"domain": "www.colocrossing.com",
"network": "107.172.0.0 - 107.175.255.255"
},
If the IP address belongs to a datacenter/hosting provider, the API response will include a datacenter
object with the following attributes:
datacenter
-string
- to which datacenter the IP address belongs. For a full list of datacenters, check the info endpoint. In this case, the datacenter's name isColoCrossing
.domain
-string
- The domain name of the companynetwork
-string
- the network this IP address belongs to (In the above case:107.172.0.0 - 107.175.255.255
)
Most IP's don't belong to a hosting provider. In those cases, the datacenter
object will not be present in the API output.
For a couple of large cloud providers, such as Google Cloud, Amazon AWS, DigitalOcean or Microsoft Azure (and some others), the datacenter
object is more detailed.
Amazon AWS example:
{
"ip": "3.5.140.2",
"datacenter": {
"datacenter": "Amazon AWS",
"network": "3.5.140.0/22",
"region": "ap-northeast-2",
"service": "EC2",
"network_border_group": "ap-northeast-2"
}
}
DigitalOcean example:
{
"ip": "167.99.241.130",
"datacenter": {
"datacenter": "DigitalOcean",
"code": "60341",
"city": "Frankfurt",
"state": "DE-HE",
"country": "DE",
"network": "167.99.240.0/20"
},
}
Linode example:
{
"ip": "72.14.182.54",
"datacenter": {
"datacenter": "Linode",
"name": "US-TX",
"city": "Richardson",
"country": "US",
"network": "72.14.182.0/24"
},
}
Response Format: The company
object
"company": {
"name": "ColoCrossing",
"domain": "colocrossing.com",
"network": "107.172.0.0 - 107.175.255.255",
"whois": "https://api.incolumitas.com/?whois=107.172.0.0"
},
Most IP addresses can be associated with an organization or company. The API uses whois database information to infer which organization is the owner of a certain IP address. Most API lookups will have an company
object with the following attributes:
name
-string
- The name of the companydomain
-string
- The domain name of the companynetwork
-string
- The network for which the company has ownershipwhois
-string
- An url to the whois information for the network of this IP address
Response Format: The asn
object
"asn": {
"asn": 36352,
"route": "107.174.138.0/24",
"descr": "AS-COLOCROSSING, US",
"country": "us",
"active": true,
"org": "ColoCrossing",
"domain": "www.colocrossing.com",
"abuse": "abuse@colocrossing.com",
"type": "hosting",
"created": "2005-12-12",
"updated": "2013-01-08",
"rir": "arin",
"whois": "https://api.incolumitas.com/?whois=AS36352"
},
Most IP addresses can be associated with an Autonomous System (AS). The asn
object provides the following attributes:
asn
-int
- The AS numberroute
-string
- The IP route as CIDR in this ASdescr
-string
- An informational description of the AScountry
-string
- The country where the AS is situated in (administratively)active
-string
- Whether the AS is active (active = at least one route administered by the AS)org
-string
- The organization responsible for this ASdomain
-string
- The domain of the organization to which this AS belongsabuse
-string
- The email address to which abuse complaints for this organization should be senttype
-string
- The type for this ASN, this is eitherhosting
,education
,government
,banking
,business
orisp
created
-string
- When the ASN was establishedupdated
-string
- The last time the ASN was updatedrir
-string
- To which Regional Internet Registry the ASN belongswhois
-string
- An url to the whois information for this ASN
For inactive autonomous systems, most of the above information is not available.
Response Format: The location
object
"location": {
"country": "United States of America",
"country_code": "US",
"state": "New York",
"city": "Buffalo",
"latitude": 42.8825,
"longitude": -78.8788,
"zip": "14202",
"timezone": "America/New_York",
"local_time": "2023-04-02T14:03:27-04:00",
"local_time_unix": 1680458607,
"is_dst": true
},
The API provides geolocation information for the looked up IP address. The location
object includes the following attributes:
country
-string
- The full name of the countrycountry_code
-string
- The ISO 3166-1 alpha-2 country code to which the IP address belongs. This is the country specific geolocation of the IP address.state
-string
- The state / administrative areacity
-string
- The city to which the IP address belongslatitude
-float
- The latitude for the IP addresslongitude
-float
- The longitude for the IP addresszip
-string
- The zip code for this IPtimezone
-string
- The timezone for this IPlocal_time
-string
- The local time for this IP in human readable formatlocal_time_unix
-int
- The local time for this IP as unix timestamp (int
)is_dst
-boolean
- Whether Daylight saving time (DST) is active in the region of this IP addressother
-array
- (Optional) - If there are multiple possible geographical locations, the attributeother
is included in the API response. It contains an array of ISO 3166-1 alpha-2 country codes which represent the possible other geolocation countries.
Country level geolocation accuracy is quite good, since the API provides information from several different geolocation service providers.
Furthermore, a proprietary geolocation database was built from scratch in order to source the location
object.
API Endpoints
The IP API currently has two endpoints.
GET Endpoint - Lookup a single IP Address or ASN
This GET endpoint allows to lookup a single IPv4 or IPv6 IP address by specifying the query parameter q
. Example: q=142.250.186.110
. You can also lookup ASN numbers by specifying the query q=AS209103
- Endpoint - https://api.incolumitas.com/
- Method -
GET
- Parameter -
q
- The IP address or ASN to lookup - Example - https://api.incolumitas.com/?q=3.5.140.2
- ASN Example - https://api.incolumitas.com/?q=AS42831
POST Endpoint - Query up to 100 IP Addresses in one API call
You can also make a bulk API lookup with up to 100 IP addresses (Either IPv4 or IPv6) in one single request.
- Endpoint - https://api.incolumitas.com/
- Method -
POST
- Content-Type -
Content-Type: application/json
- Parameter -
ips
- An array of IPv4 and IPv6 addresses to lookup
For example, in order to lookup the IP addresses
162.158.0.0
2406:dafe:e0ff:ffff:ffff:ffff:dead:beef
162.88.0.0
20.41.193.225
you can use the following POST API request with curl
:
curl --header "Content-Type: application/json" \
--request POST \
--data '{"ips": ["162.158.0.0", "2406:dafe:e0ff:ffff:ffff:ffff:dead:beef", "162.88.0.0", "20.41.193.225"]}' \
https://api.incolumitas.com/