iplogs.com

Frequently asked questions

Detailed answers about how IPLogs detects VPNs, what we can and can't see, rate limits, accuracy, and API integration.

What is a VPN detection service?

A VPN detection service examines an IP address and a set of behavioral signals to decide whether the endpoint is a commercial VPN, a residential or datacenter proxy, a Tor exit node, or a real end-user device. High-quality services combine IP reputation data, active probing, TLS and TCP fingerprints, and round-trip-time heuristics rather than relying on a single blacklist.

How does IPLogs detect VPNs?

Seven layers: (1) IP intelligence — curated VPN server lists, ASN classification, hourly-refreshed Tor exit list; (2) TCP/IP stack fingerprinting — MSS, TTL, window anomalies; (3) TLS/JA3 fingerprinting — matches ClientHello hashes to known VPN client libraries; (4) RTT analysis — SNITCH TCP vs TLS differential and cross-layer RTT checks from NDSS 2025; (5) active probing — OpenVPN HARD_RESET, WireGuard handshake init, IKEv2 SA_INIT, REALITY cert-switch; (6) client signals — timezone, language, WebRTC ICE leak; (7) port and network sanity.

Can IPLogs detect residential proxies?

Hosting-backed residential proxies that share IPs with known datacenter ASNs (Leaseweb, CoLoCrossing, HostPapa, Ace Data Centers, Colocation America) are reliably flagged by the datacenter-ASN layer. Peer-to-peer residential proxies that route traffic through real consumer ISP connections are the hardest category in the industry and require behavioral heuristics that IPLogs is actively researching. For the highest-confidence residential-proxy detection, combine IPLogs with session behavior analytics (mouse movement, typing cadence).

Can IPLogs detect Tor exits?

Yes. The Tor exit-node list is fetched from check.torproject.org once an hour. Any IP in the current list matches the tor_exit signal at weight 0.95, producing a vpn_detected verdict.

How is IPLogs different from IPQualityScore, IPHub, or GetIPIntel?

IPLogs has no signup requirement on its free tier, exposes every detection signal in the API response (not just a score), and has no commercial VPN business that creates a conflict of interest. Commercial services have larger enterprise support teams and longer-established SLAs, so the right choice depends on integration volume and compliance needs.

Is there a rate limit?

No enforced rate limit today — the public endpoint is fair-use. Sustained scraping or bulk-check abuse may be throttled or blocked at the edge; the active prober won't run probes against the same target faster than its built-in 8-second-per-IP fan-out cap allows. For predictable high-volume access, email admin@iplogs.com to discuss a dedicated deployment.

Does IPLogs store my IP address?

Only in transient request logs used for abuse detection. Logs rotate automatically. There is no persistent database of individual lookups, no tracking cookies, no advertising integrations, and no third-party analytics.

How accurate is the detection?

Against ground-truth datasets of known commercial VPN endpoints (NordVPN, Mullvad, SoftEther, Private Internet Access, ProtonVPN) the seven-layer pipeline achieves a true-positive rate above 95% with under 1% false positives on residential ISPs. Trusted infrastructure — public DNS anycast addresses and major CDNs (Cloudflare, Google, Fastly, Akamai, Microsoft, Apple, Meta, Netflix) — is explicitly allowlisted to prevent false alarms.

Does IPLogs work with IPv6?

Yes — IPv6 is first-class. POST /v1/check with an IPv6 literal, and the /ip/[ip] dashboard page handles both families. Per-relay lists (Mullvad, AirVPN), Tor onionoo, Apple Private Relay, and the dashboard search bar all support IPv6. The X4BNet aggregator feed remains IPv4-only because upstream doesn't publish a v6 list, but everything else is dual-stack.

What if I need dedicated infrastructure for very high volume?

Email admin@iplogs.com with your use case. For sustained multi-million-request workloads we can discuss a dedicated deployment, commercial terms, and SLAs. The public free tier is intended for small and medium integrations.

What databases does IPLogs use?

MaxMind GeoLite2 City and ASN MMDB files as the primary source. ip-api.com as the free fallback for IPs not covered locally. Tor exit nodes from check.torproject.org (hourly refresh). Mullvad WireGuard relays from api.mullvad.net (6-hour refresh). Additional VPN server lists can be loaded via the EXTRA_VPN_LIST environment variable.

How do I report a false positive?

Email admin@iplogs.com with the IP address, the verdict you received, and what the IP actually is (residential, corporate, cloud workload, etc). False positives are taken seriously and investigated within a few days.

Can IPLogs be used for bot detection?

Indirectly. A large fraction of scraping and bot traffic originates from datacenter IPs — these are flagged by the datacenter-ASN layer without CAPTCHAs. For human-vs-bot discrimination (headless browser detection, automation frameworks) combine IPLogs with a behavioral analytics tool.

Is IPLogs GDPR compliant?

IPLogs does not store personal data beyond transient request logs. IP addresses are personal data under GDPR, so operators integrating IPLogs into production applications must document the lawful basis for processing (typically legitimate interest for fraud prevention) and include IPLogs in their data-processing register. A data-processing agreement is available on request.