iplogs.com

Free IP intelligence datasets

11 live feeds mirrored from authoritative upstream sources (Tor Project, Mullvad, AWS, Google Cloud, Oracle, DigitalOcean, Fastly, Cloudflare, FireHOL, Spamhaus) plus 5 IPLogs-curated reference datasets. Stable URLs, CC-BY 4.0, auto-refreshed. No signup, no API key.

16 datasetsCSV · JSON · TXTCC-BY 4.0Refresh 1h / 6h / daily

Live upstream feeds(11)

Mirrored from authoritative sources with stable Cache-Control. Build scripts can point here instead of hammering upstream.

Tor exit nodes

CSVHourlySource: Tor Project
Download~210 KB

Every IPv4 currently listed as a Tor exit relay. Sourced directly from the Tor Project's signed exit-addresses feed, refreshed hourly. Use this to flag, contextualise, or block Tor-originated traffic.

Columns
  • ipstring · IPv4 exit address
  • publishedISO8601
  • last_statusISO8601
  • seen_atISO8601
Typical uses
  • · Fraud gating on checkout and signup
  • · SOC / SIEM enrichment
  • · Academic replication studies
185.220.101.1,2026-04-23T10:00:00Z,2026-04-23T11:00:00Z,...
iplogs.com/data/tor-exits.csvUpstream: check.torproject.org

Tor relays (all, not just exits)

CSVEvery 6 hoursSource: Tor Project / Onionoo
Download~500 KB

Every running Tor relay on the network (guards, middles, bridges, exits), with fingerprint, nickname, IPv4 and IPv6 addresses. Sourced from the Tor Project's Onionoo consensus API.

Columns
  • fingerprintstring
  • nicknamestring
  • ipv4string
  • ipv6string
Typical uses
  • · Network research (relay distribution studies)
  • · Mapping entire Tor network footprint
  • · Bridge discovery analysis
iplogs.com/data/tor-relays.csvUpstream: onionoo.torproject.org

Mullvad WireGuard relays

CSVEvery 6 hoursSource: Mullvad VPN AB
Download~50 KB

Every active Mullvad VPN relay with hostname, country, city, provider, IPv4, IPv6, type, ownership flag. Direct passthrough from api.mullvad.net, refreshed every 6 hours. Canonical dataset for Mullvad exit detection.

Columns
  • hostnamestring
  • country_codestring
  • countrystring
  • citystring
  • ipv4string
  • ipv6string
  • providerstring
  • typewireguard | openvpn | bridge
  • active0 | 1
  • owned0 | 1
Typical uses
  • · Mullvad exit detection
  • · Research on WireGuard deployment patterns
iplogs.com/data/mullvad-relays.csvUpstream: api.mullvad.net

AWS IP ranges

JSONDailySource: Amazon Web Services
Download~2.4 MB

Amazon's full published ip-ranges.json, mirrored with a stable Cache-Control so you don't have to hit ip-ranges.amazonaws.com directly from build scripts. Includes every AWS region and service (EC2, CloudFront, Route53), IPv4 and IPv6.

Columns
  • prefixes[]object with ip_prefix, region, service
Typical uses
  • · AWS traffic classification
  • · CloudFront origin allowlist
  • · Cloud-region analytics
iplogs.com/data/aws-ranges.jsonUpstream: ip-ranges.amazonaws.com

Google Cloud IP ranges

JSONDailySource: Google Cloud
Download~100 KB

Google Cloud Platform's canonical IP range publication (cloud.json), mirrored with stable caching. Covers every GCP region, service, and scope (PREMIUM/STANDARD tier).

Columns
  • prefixes[]object with ipv4Prefix/ipv6Prefix, scope, service
Typical uses
  • · GCP traffic classification
  • · Allowlisting legitimate Google-originating traffic
iplogs.com/data/gcp-ranges.jsonUpstream: www.gstatic.com

Oracle Cloud IP ranges

JSONDailySource: Oracle Cloud
Download~50 KB

Oracle Cloud Infrastructure's published IP range JSON, documented at docs.oracle.com. Every OCI region with CIDR blocks and service tags.

Columns
  • regions[]object with region, cidrs[]
Typical uses
  • · OCI traffic classification
  • · Enterprise allowlisting
iplogs.com/data/oracle-cloud-ranges.jsonUpstream: docs.oracle.com

DigitalOcean IP ranges

CSVDailySource: DigitalOcean
Download~100 KB

DigitalOcean's published geo-annotated CIDR list. Each row carries the CIDR plus country / region / city geolocation of the datacenter. Mirrored with a CSV header row we added for convenience.

Columns
  • cidrstring
  • countryISO 3166-1 alpha-2
  • regionstring
  • citystring
  • postal_codestring
Typical uses
  • · Flagging droplet-originated traffic
  • · Geo-aware fraud rules
iplogs.com/data/digitalocean-ranges.csvUpstream: digitalocean.com

Fastly IP ranges

JSONDailySource: Fastly
Download~2 KB

Fastly CDN's official public IP range API. Used to allowlist legitimate Fastly-delivered traffic or to detect traffic originating from Fastly compute.

Columns
  • addresses[]IPv4 CIDR
  • ipv6_addresses[]IPv6 CIDR
Typical uses
  • · CDN allowlisting
  • · WAF bypass for Fastly-origin traffic
iplogs.com/data/fastly-ranges.jsonUpstream: api.fastly.com

Cloudflare IP ranges

TXTDailySource: Cloudflare
Download<1 KB

Canonical Cloudflare IPv4 and IPv6 ranges (published at cloudflare.com/ips), mirrored with a stable Cache-Control so your build scripts don't hammer Cloudflare directly.

Columns
  • cidrone CIDR per line, IPv4 then IPv6
Typical uses
  • · Reverse-proxy allowlist
  • · WAF bypass of Cloudflare-origin traffic
iplogs.com/data/cloudflare-ranges.txtUpstream: www.cloudflare.com

FireHOL Level 1 threat aggregate

TXTHourlySource: FireHOL / Team Cymru
Download~80 KB

FireHOL's Level 1 blocklist: a curated aggregate of the highest-signal threat feeds (Spamhaus DROP/EDROP, DShield top attacking, attacker honeypot feeds). Minimal false positives. CC-BY 4.0 licensed.

Columns
  • cidrone CIDR per line; comments start with #
Typical uses
  • · Edge-firewall blocklist
  • · Threat intel enrichment
  • · SOC rule feed
iplogs.com/data/firehol-abusers.txtUpstream: iplists.firehol.org

Spamhaus DROP (Don't Route or Peer)

TXTHourlySource: Spamhaus
Download~15 KB

Networks controlled by criminal enterprises, hijacked IP ranges, and known-malicious prefixes. Published by Spamhaus multiple times per day. Free for defensive use; one of the most respected threat-intel feeds in the industry.

Columns
  • cidr ; SBL-refone CIDR + ; + Spamhaus Block List reference per line
Typical uses
  • · Border-router ACL
  • · Threat intel enrichment
  • · Hijack-prefix detection
iplogs.com/data/spamhaus-drop.txtUpstream: www.spamhaus.org

IPLogs curated reference data(5)

Our own classification tables used by the detection pipeline. Smaller than the upstream feeds but carry per-entry descriptions and signal metadata.

Datacenter and CDN ASNs

CSVUpdated on deploySource: IPLogs curated catalogue
Download~5 KB

IPLogs-curated catalogue of autonomous systems we classify as datacenter hosting or CDN. Used internally by the detection pipeline's dc_ip signal. Smaller than the upstream cloud-provider feeds but has per-ASN descriptions and categorisation.

Columns
  • asnstring
  • namestring
  • countrystring
  • categorydatacenter | cdn
  • descriptionstring
Typical uses
  • · Bot defence allow/deny lists
  • · Traffic classification in analytics
  • · Compliance reporting
AS15169,Google LLC,US,datacenter,Google Cloud Platform…
iplogs.com/data/datacenter-asns.csv

Commercial VPN ASNs

CSVUpdated on deploySource: IPLogs curated catalogue
Download~2 KB

Autonomous systems officially registered to commercial VPN providers or confirmed as partner hosting infrastructure (NordVPN, Mullvad + parent, ProtonVPN, PIA, ExpressVPN, CyberGhost, VyprVPN, Opera VPN, M247, Trabia, Datacamp, and others). Any IP routed through one of these ASNs is a confirmed VPN exit without needing a probe.

Columns
  • asnstring
  • namestring
  • countrystring
  • descriptionstring
Typical uses
  • · High-confidence VPN classification
  • · Fraud rule engines
  • · Regional licensing compliance
AS212238,NordVPN,PA,NordVPN officially registered ASN...
iplogs.com/data/vpn-asns.csv

Residential-proxy backbone ASNs

CSVUpdated on deploySource: IPLogs curated (operator observations + vendor analysis)
Download<1 KB

26 hosting ASNs known to host residential-proxy infrastructure (Leaseweb family, ColoCrossing, M247, Performive, Hivelocity, HostPapa and others). Matches the residential_proxy_backbone signal used in the detection pipeline.

Columns
  • asnstring
  • namestring
  • countrystring
Typical uses
  • · Residential-proxy heuristic enrichment
  • · Bot defence (scraping prevention)
  • · Ad-fraud click auditing
AS60781,Leaseweb Netherlands B.V.,NL
iplogs.com/data/residential-proxy-backbones.csv

VPN provider catalogue

CSVUpdated on deploySource: IPLogs curated catalogue
Download~7 KB

31 commercial and self-host VPN providers with jurisdiction, registered ASN, protocols, and which detection signals flag them.

Columns
  • slugstring
  • namestring
  • jurisdictionstring
  • asnstring · when registered
  • protocolssemicolon-separated
  • detected_bysemicolon-separated signal names
  • descriptionstring
Typical uses
  • · Per-provider detection policy
  • · Licensing and jurisdiction review
iplogs.com/data/vpn-providers.csv

Country IP context

CSVUpdated on deploySource: IPLogs curated catalogue
Download~9 KB

73 countries with dominant residential ISPs, hosting footprint, known VPN provider presence, and regional notes. Useful for geo-risk scoring and regional compliance.

Columns
  • codeISO 3166-1 alpha-2
  • namestring
  • regionstring
  • notesstring
Typical uses
  • · Geo-risk scoring
  • · Regional bot-defence policy
  • · Compliance mapping
iplogs.com/data/countries.csv

Licensing and attribution

IPLogs-curated datasets are released under CC BY 4.0. Live feeds retain their upstream license (Tor Project, Mullvad, Spamhaus DROP free for defensive use, FireHOL CC-BY 4.0, the cloud-provider ranges are published openly by their respective providers). Mirroring exists for caching convenience, not republishing.

Suggested citation: IPLogs (2026). {Dataset name}. https://iplogs.com/tools

Prefer a live lookup?

The same classifications behind these datasets back the live detection API at POST https://iplogs.com/v1/check. Pass any IPv4, get verdict, score, confidence, and every signal that produced the reading.

API documentationLive IP checker