Skip to content
  • There are no suggestions because the search field is empty.

Proxy detection and anonymous IP

End-users may use proxies to anonymize their traffic for a variety of reasons. They may be privacy-conscious web users who do not want their personal information tracked. However, anonymizers may also be attempting to get around geofencing or to hide their identity while engaging in fraud and other malicious activities.

Proxy detection is offered in a number of MaxMind products:

Anonymizer detection

If the IP address has been flagged as any kind of anonymizer, it will be identified with this data point.

Regardless of what type of anonymizer is being used, these services will all effectively hide the IP address of the end-user. Someone using an anonymizer may simply be a privacy-conscious web user, but it is important to note that all IP geolocation and IP intelligence data associated with an anonymous IP will correspond to the web host running the anonymizer rather than the end-user.

For example, suppose someone located in Oregon in the United States is using a VPN to browse your website from their mobile phone. Suppose that this VPN is hosted in a data center in California in the United States. We may identify that IP address as an anonymizing VPN. If we geolocate this IP address and provide IP intelligence data for it, we would geolocate the IP address to California, rather than Oregon, and would provide IP intelligence data for a hosting facility rather than a mobile network.

If you feel that a customer’s IP address was incorrectly flagged as an anonymizer, please contact our support team, and we will have our data review team investigate the IP. Please do not ask the customer to contact us directly.

You can read the API specifications for our anonymizer detection on our developer portal


Types of anonymizers

We identify five different kinds of anonymizers:

These different kinds of anonymizers operate in similar ways, taking advantage of the structure of the internet to effectively mask the IP address, and thus the geolocation, of the end-user. GeoIP products and services do not provide a way to find the IP address or geolocation of an end-user using an anonymizer. To learn more about anonymizer use as it relates to GeoIP accuracy, please check out our blog post, specifically the "VPNs and Other Proxies" section.

VPNs

Virtual private networks (VPNs) are usually a paid service, where a customer can browse the internet using an IP address provided by a third-party. This third-party acts as an intermediary for all browsing done by the user.

Many VPN users are privacy-conscious web users who are not necessarily engaged in any malicious activity.

You can read the API specifications for our VPN detection on our developer portal:

Hosting providers

Web hosting services can be used to create private proxies, and many VPN services use hosting providers instead of registering their own IP ranges. This means that if you see traffic associated with an end-user coming from a hosting provider, the end-user is probably using a VPN, even if we have not otherwise identified it as such.

You can read the API specifications for our hosting provider detection on our developer portal:

Public proxies

Public proxies tend to be easy to access and are openly published.

You can read the API specifications for our public proxy detection on our developer portal:

Residential proxies

Residential proxies are harder to detect than other kinds of proxies as these IPs appear to be associated with legitimate residential ISPs.

You can read the API specifications for our residential proxy detection in our developer portal:

TOR exit nodes

These are published IPs used as exit nodes for the TOR network. Traffic from these nodes have been relayed through several servers to preserve anonymity.

You can read the API specifications for our TOR exit node detection in our developer portal:

Other types of proxies

In addition to the anonymizers flagged above, there are other kinds of privacy-focused networks such as Apple iCloud Private Relay that protect the identity (and sometimes the more specific geolocation) of the end-user, but include additional oversight by the companies who manage these networks. Learn more about these networks.

Advanced anonymizer data

The GeoIP Insights web service, the Anonymous Plus database as well as minFraud insights and minFraud factors include additional data points that empower businesses to make more nuanced decisions on how to handle proxy traffic in security, compliance, and fraud prevention use cases.

Provider name 

The name of the VPN provider (e.g., NordVPN, SurfShark, etc.) associated with the network.

Not all anonymous network hosting providers carry the same risks. For example, you can use this field to adjust your blocking to minimize user friction from traffic on corporate VPNs.

You can read the API specifications for provider_name in our developer portal:

Anonymizer confidence

A score (1-99) representing the percent confidence that the network is part of an actively used VPN service.

  • High confidence (99): Precise network seen associated with a known anonymizing service
  • Medium confidence (30): Network likely associated with a known anonymizing service based on observations

Use these scores to block risky traffic without adding friction for legitimate users. To minimize false positives you may choose to incorporate additional checks to anonymizers with medium confidence.

You can read the API specifications for anonymizer_confidence in our developer portal:

Network last seen

The last day that the network was sighted in our analysis of anonymized networks. This is in the ISO 8601 date format (YYYY-MM-DD).

Since ISPs frequently reallocate IP addresses, if a network on your block list hasn’t been seen in a certain length of time, this field may help you avoid blocking stale threats.

You can read the API specifications for network last seen in our developer portal: