IP Threat Intelligence & Abuse Management
Enrich security workflows with real-time IP reputation, privacy detection, and abuse contact data
Malicious actors hide behind VPNs, proxies, and Tor exit nodes while abusing IP addresses for spam, DDoS, and credential stuffing. EdgeDNS provides comprehensive IP intelligence to identify threats, detect anonymization, and streamline abuse reporting.
The Challenge
Security teams face an overwhelming volume of suspicious IPs across firewalls, WAFs, and application logs. Determining whether an IP belongs to a legitimate VPN user, a known botnet, or a Tor exit node requires querying multiple threat feeds and WHOIS databases manually. Reporting abuse to the correct ISP is equally fragmented, with no single source for abuse contact information.
The Solution
Use EdgeDNS IP intelligence APIs to build automated threat enrichment pipelines. Check IP reputation against blacklists and threat feeds, detect VPN/proxy/Tor/datacenter usage, look up WHOIS registration and abuse contacts, and correlate with geolocation and reverse DNS for complete context.
Endpoints Used
Combine these EdgeDNS endpoints to build this solution.
/v1/ip/reputationTry in PlaygroundIP Reputation: Check IP against blacklists, spam databases, and threat feeds
/v1/ip/privacyTry in PlaygroundIP Privacy Detection: Detect VPN, proxy, Tor exit nodes, and datacenter IPs
/v1/ip/whoisTry in PlaygroundIP WHOIS: WHOIS registration data with a structured `abuse_contact` shortcut (extracted from role=abuse entities and RIPE-style `abuse-mailbox` vCards), plus `status_summary` and a CIDR-mismatch guard against inconsistent registry data
/v1/ip/geolocationTry in PlaygroundIP Geolocation: Country, city, ISP, ASN — plus a `privacy` object (is_tor / is_hosting / is_relay / is_proxy_or_vpn) derived from the Tor exit list, iCloud Private Relay ranges, and curated VPN/hosting ASNs, so a single call covers geographic and anonymization context
/v1/ip/reverseTry in PlaygroundReverse DNS: PTR records, forward-confirmed reverse DNS (up to 10 hostnames), plus an `email_deliverability` rollup (pass / warn_generic / warn_no_fcrdns / fail_no_ptr) ready to feed into spam triage
Results You Can Achieve
Composite reputation score per IP
Threat-feed presence, ASN reputation, geolocation, and known-bad classifications combined into a single triage signal.
VPN, proxy, Tor, and relay flagging in real time
Anonymizer-network classification surfaces evasion attempts — Tor exits from the project's public list, iCloud Private Relay from Apple's published egress ranges, hosting and VPN ASNs from a curated allowlist. Useful for fraud screening and gating high-risk endpoints without a paid privacy-detection vendor.
One-shot abuse contact per IP
`abuse_contact` returned as a top-level field on both `/v1/ip/whois` and `/v1/ip/range`. Pulls from role=abuse entities first, then the `abuse-mailbox` vCard extension RIPE prefers — so RIPE and ARIN networks both yield a directly usable email without a second lookup.
Code Example
Comprehensive IP threat assessment
async function assessIPThreat(ipAddress) {
const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };
const [reputation, privacy, whois, geo, reverse] = await Promise.all([
fetch(`https://api.edgedns.dev/v1/ip/reputation?ip=${ipAddress}`, { headers }),
fetch(`https://api.edgedns.dev/v1/ip/privacy?ip=${ipAddress}`, { headers }),
fetch(`https://api.edgedns.dev/v1/ip/whois?ip=${ipAddress}`, { headers }),
fetch(`https://api.edgedns.dev/v1/ip/geolocation?ip=${ipAddress}`, { headers }),
fetch(`https://api.edgedns.dev/v1/ip/reverse?ip=${ipAddress}`, { headers }),
].map(p => p.then(r => r.json())));
// WHOIS returns a structured abuse_contact (role=abuse + RIPE abuse-mailbox vCard).
// Geolocation returns its own privacy rollup, so a second /v1/ip/privacy call is optional.
const abuseContact = whois.data.abuse_contact;
const geoPrivacy = geo.data.privacy;
const threatLevel =
reputation.data.is_malicious ? 'critical' :
(privacy.data.is_tor || geoPrivacy?.is_tor) ? 'high' :
(privacy.data.is_vpn || privacy.data.is_proxy || geoPrivacy?.is_proxy_or_vpn) ? 'medium' : 'low';
return {
ip: ipAddress,
threatLevel,
reputation: {
isMalicious: reputation.data.is_malicious,
detections: reputation.data.detections,
detectionDetails: reputation.data.detection_details
},
privacy: {
isVPN: privacy.data.is_vpn,
isProxy: privacy.data.is_proxy,
isTor: privacy.data.is_tor,
isDatacenter: privacy.data.is_datacenter,
// geo.data.privacy.classification_source records which list flagged the IP —
// "tor_exit_list", "icloud_relay_ranges", "curated_asn", etc.
source: geoPrivacy?.classification_source ?? null
},
location: geo.data.country + ', ' + geo.data.city,
hostname: reverse.data.hostnames?.[0] ?? null,
mailHealth: reverse.data.email_deliverability?.recommendation ?? null,
abuseContact: abuseContact?.email ?? null,
action: threatLevel === 'critical' ? 'BLOCK' : threatLevel === 'high' ? 'CHALLENGE' : 'ALLOW'
};
}Learn More
Explore industry standards and best practices related to this use case.
Spamhaus Blocklists
Industry-standard IP and domain blocklists used by ISPs and security teams worldwide
NIST SP 800-150: Cyber Threat Information Sharing
NIST guidelines for sharing and consuming cyber threat intelligence data
FIRST - Forum of Incident Response and Security Teams
Global forum for incident response teams coordinating threat intelligence and security operations
Ready to build IP Threat Intelligence & Abuse Management?
Get started with 200 free API requests per month. No credit card required.