Back to blog
Security

IP reputation: why your firewall isn't enough

Josselin Liebe
Josselin Liebe

Static IP blocklists can't keep up with attackers who rotate through VPNs, residential proxies, and Tor exit nodes. The Veille IP Reputation API (GET /v1/intelligence/ip) analyzes each IP in real time across multiple dimensions and returns a threat_score from 0 to 100.

What the API returns

For any IPv4 or IPv6 address, you get: VPN/proxy/Tor/datacenter detection, ASN and network owner details, geolocation (country, city, coordinates, timezone), and whether the IP has been flagged as an abuser or crawler.

Quick integration

Python

import requests

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://api.veille.io/v1"

response = requests.get(
    f"{BASE_URL}/intelligence/ip",
    params={"query": "82.64.12.193"},
    headers={"x-api-key": API_KEY},
)
data = response.json()

if data["is_vpn"] or data["threat_score"] > 60:
    print(f"Suspicious IP - score: {data['threat_score']}")
else:
    print(f"Clean IP from {data['location']['country']}")

TypeScript

const API_KEY = "YOUR_API_KEY";
const BASE_URL = "https://api.veille.io/v1";
const headers = { "x-api-key": API_KEY };

const response = await fetch(
  `${BASE_URL}/intelligence/ip?query=82.64.12.193`,
  { headers }
);
const data = await response.json();

if (data.is_vpn || data.threat_score > 60) {
  console.log(`Suspicious IP - score: ${data.threat_score}`);
} else {
  console.log(`Clean IP from ${data.location.country}`);
}

Key response fields

  • is_vpn / is_proxy / is_tor - specific anonymization flags
  • is_datacenter - identifies cloud/hosting IPs used for automated attacks
  • is_abuser - flagged for known malicious activity
  • asn - network owner, type (isp, hosting, business), and country
  • threat_score - 0 (clean) to 100 (high threat)

5 use cases

  1. Signup fraud detection - flag accounts created from VPN or Tor exit nodes for manual review.
  2. Adaptive authentication - add CAPTCHA or MFA when the IP comes from a datacenter or proxy.
  3. Geo-restriction enforcement - verify the user's actual country matches your service region.
  4. Rate limiting - apply stricter rate limits to IPs with high threat scores.
  5. Payment fraud prevention - compare the IP geolocation with the billing address before processing a charge.

Related posts

Engineering

How we built a disposable email dataset

Headless browsers, screenshots, OCR, validation pipelines: a technical look at how we built the dataset behind our disposable email detection API.

Read more
Security

How disposable emails are used in account fraud

Disposable email services make it trivial for attackers to create fake accounts at scale. Learn how to detect and block them with the Veille Email Validation API.

Read more
Engineering

Building a fraud detection pipeline

A practical guide to combining email, domain, and IP validation into a unified fraud scoring system.

Read more