IP Security Database
Overview
Our IP Security Database and Threat Intelligence provides advanced malicious IP detection for both IPv4 and IPv6 addresses. This powerful IP threat intelligence database identifies high-risk IPs linked to spamming, phishing, botnets, open proxies, VPNs, Tor exit nodes, and compromised hosts. By integrating this intelligence into your systems, you can enhance fraud prevention, block suspicious connections in real-time, and protect your applications, APIs, and networks against cyberattacks.
Each IP record includes IP reputation data, threat categories, risk scores, and attack classifications, giving you actionable insights for automated security workflows. Our intelligence is aggregated from multiple trusted sources worldwide, ensuring broad coverage of malicious infrastructure. Combined with IP Location data, this database enables easy to correlate threats by region, detect patterns, and take proactive measures against evolving attacks.
We update our IP security feeds multiple times every single day, so that latest intelligence always back your defenses. The database is available in CSV, MMDB, or custom formats for seamless integration with SIEMs, firewalls, fraud detection engines, and other cybersecurity platforms. Full documentation includes schema definitions, file specifications, and integration examples to help you deploy quickly and efficiently.
Available Database Formats
CSV Database Documentation
1.Overview
The CSV version of our IP to Security Database is delivered as a ZIP archive that includes Gzip-compressed files with IP ranges, location details, and multilingual place names. It's well-suited for bulk imports and easy integration into relational databases.
2.Archive Content
After downloading and extracting the IP to Security CSV database archive, you'll find the following files (with their types noted):
db-ip-security.csv.gzThis Gzip-compressed CSV provides threat intelligence: IP ranges, threat scores, Tor/proxy flags, and more.
- File Size: 108.80 MB
- Entries: 17.0M
- Fields: 13
README.mdDocumentation for dataset contents, schema, usage, and support.
- File Size: 4.55 KB
checksum.txtSHA-256 checksums for verifying file integrity.
- File Size: 164 Bytes
Schema
This section describes the schema of each file included in the IP to Security Database archive. For every file, you'll find its purpose, field definitions, and examples to help with integration.
1.db-ip-security.csv.gz
This file contains security threat data for IP address ranges. It maps each IP block to a threat_score and flags for specific security attributes, including Tor usage, proxy details, and identifying the IP as a known attacker, bot, or cloud provider.
| Field | Type | Description | Can be empty? | Example |
|---|---|---|---|---|
| start_ip | string | The starting IP address of the range in IPv4 or IPv6 format. | No | 192.168.0.1 |
| end_ip | string | The ending IP address of the range in IPv4 or IPv6 format. | No | 192.168.0.255 |
| threat_score | integer | The threat_score is a numerical value indicating the potential risk associated with the IP range, where a higher score suggests a greater risk. | No | 80 |
| is_tor | boolean | Indicates whether the IP range is associated with a Tor network. A value of true means it is a Tor exit node. | No | false |
| is_proxy | boolean | Indicates whether the IP range is associated with a proxy server. A value of true means it is a proxy. | No | true |
| proxy_type | string | Specifies which of the three types (VPN, PROXY, or RELAY) applies when is_proxy is true; otherwise remains empty. | Yes | VPN |
| proxy_provider | string | Name of the provider, if the IP address belongs to either a proxy, a VPN, or a relay network. | Yes | Nord VPN |
| is_anonymous | boolean | Indicates whether the IP range is associated with anonymous browsing. A value of true means it is an anonymous proxy. | No | true |
| is_known_attacker | boolean | Indicates whether the IP range has been flagged as associated with known attackers or malicious activity. | No | true |
| is_bot | boolean | Indicates whether the IP range is associated with bot traffic. A value of true means it is likely a bot. | No | false |
| is_spam | boolean | Indicates whether the IP range has been flagged for sending spam. A value of true means it is associated with spam activity. | No | false |
| is_cloud_provider | boolean | Indicates whether the IP range belongs to a cloud service provider. A value of true means it is a cloud provider. | No | true |
| cloud_provider | string | The name of the cloud service provider associated with the IP range, such as AWS, Azure, Google Cloud, etc. | Yes | Packethub S.A. |
I.Example Records
start_ip,end_ip,threat_score,is_tor,is_proxy,proxy_type,proxy_provider,is_anonymous,is_known_attacker,is_bot,is_spam,is_cloud_provider,cloud_provider
120.207.96.80,120.207.96.80,30,false,false,,,false,true,false,false,false,
152.110.73.0,152.110.73.0,75,false,true,VPN,,true,true,false,false,false,
60.243.60.155,60.243.60.155,45,false,true,PROXY,Evomi Proxy,true,false,false,false,false,
123.111.240.36,123.111.240.36,45,false,true,PROXY,Evomi Proxy,true,false,false,false,false,
136.0.17.224,136.0.17.227,5,false,false,,,false,false,false,false,true,"Ace Data Centers II, L.L.C."
88.249.140.132,88.249.140.132,45,false,true,PROXY,Evomi Proxy,true,false,false,false,false,
173.16.225.65,173.16.225.65,45,false,true,PROXY,Zyte Proxy,true,false,false,false,false,
160.3.163.28,160.3.163.28,45,false,true,PROXY,Zyte Proxy,true,false,false,false,false,
119.53.231.168,119.53.231.168,30,false,false,,,false,true,false,false,false,
49.150.206.8,49.150.206.8,45,false,true,PROXY,Evomi Proxy,true,false,false,false,false,
60.254.88.43,60.254.88.43,45,false,true,PROXY,Evomi Proxy,true,false,false,false,false,2.File Relationship Diagram
File Format & Encoding
All IP to Security CSV datasets are provided in UTF-8 encoding, comma-separated, and compressed with Gzip (.csv.gz). Each file includes a header row listing the field names for clarity and consistency.
Field values are unquoted by default, with quotes applied only in the following cases:
- Line breaks within text fields.
- Commas inside a value (e.g., addresses).
- Lists of values (e.g., languages).
- Spaces that may be auto-quoted by export tools.
MMDB Database Documentation
1.Overview
MMDB version of the database consists of three files: one MMDB file containing IP security data, a README file, and a checksum file, all compressed together in a ZIP file for easy delivery.
2.Archive Content
After downloading and extracting the IP to Security MMDB database archive, you'll find the following files (with their types noted):
db-ip-security.mmdbContains security details for IP addresses: VPN/proxy, Tor, attacker flags, and cloud provider names.
- File Size: 368.59 MB
- Entries: 17.0M
README.mdDocumentation for dataset contents, schema, usage, and support.
- File Size: 4.55 KB
checksum.txtSHA-256 checksums for verifying file integrity.
- File Size: 162 Bytes
Response Schema
This section describes the structure of the data returned from the IP to Security MMDB file. Each field is detailed with its type, meaning, and example values to help you interpret responses and integrate them into your applications.
1.db-ip-security.mmdb
This file contains security details for both IPv4 and IPv6 address ranges. Below is an example of the structure you will encounter in the response.
2.Field Reference
The following reference lists all fields available in the MMDB response. Each entry includes the field path, its description, data type, and example value to help you understand how to parse and integrate the data.
2.Example Records
{
"cloud_provider": "",
"is_anonymous": "false",
"is_bot": "false",
"is_cloud_provider": "false",
"is_known_attacker": "true",
"is_proxy": "false",
"is_spam": "false",
"is_tor": "false",
"proxy_provider": "",
"proxy_type": "",
"threat_score": 30
}Database Integrity & Authenticity Verification
There are two methods of verifying the integrity and authenticity of our Database:
1.Using the Signature File (Recommended)
IPGeolocation.io signs every database release to ensure its authenticity and integrity. This allows customers to verify that a downloaded IP to Security database file originates directly from IPGeolocation.io and has not been altered, corrupted, or tampered with during transfer or storage.
Each database update includes a corresponding signature file, generated using our private signing key. Customers can validate the database using the provided public verification key. To verify a database file, you need:
- Database file (the downloaded archive)
- Signature file (the matching signature for that archive)
- Public key (public-key.pem)
These files are available via official IPGeolocation.io download endpoints and are also shared in database update notifications.
The public key may be provided as PEM-encoded text. Save it to a file named public-key.pem
Ensure OpenSSL is installed on your system. If not, install it using the following commands
On Linux, if openssl is not installed
sudo apt install opensslVerify OpenSSL installation:
openssl versionTo verify the database file, run the following command, replacing the placeholders with your actual file paths:
openssl dgst -sha256 -verify <path-to-public-key.pem> -signature <path-to-signature-file.sig> <path-to-database-file.zip>Example output:
Verified OKif verification FAILED do not use the file, re-download the database and signature from official IPGeolocation endpoints. If the issue persists, please contact our support team.
2.Using the Checksum File (Legacy)
Each database archive includes a checksum.txt file containing the SHA-256 checksums for the files packaged in the archive. You can use this file to validate that the extracted contents are complete and unchanged.
Always verify downloaded files with the provided checksum before importing.
On Linux, if sha256sum is not installed, first run:
sudo apt-get install coreutilsThen check the archive files against the checksum file with:
sha256sum -c checksum.txtExample output:
db-ip-security.csv.gz: OK
README.md: OK*your output may differ depending on the specific database archive you downloaded.
If a file's checksum does not match, FAILED will be shown instead of OK . If verification fails, first confirm that the download completed correctly; if the issue persists, please contact our support team.
Data Format & Constraints
- All fields defined in the schema are always present in the IP to Security MMDB response.
- Fields may contain empty strings (""), but never null, so null checks are not required.
- Place names such as countries, states, districts, and cities are available in multiple translations.
- All text values are encoded in UTF-8.
- Field names and response structure remain stable across updates for backward compatibility.
Database Updates & Delivery
When you subscribe to our IP to Security database, we'll send you static download links. These links never change, so you can use them both for your initial download and for all future updates. You will receive:
- Database Archive URL : downloads the latest release of your subscribed database (CSV, MMDB or requested formats).
- Signature File URL : downloads the matching signature file for the latest release (used for authenticity verification).
- Public Key URL : downloads the public verification key (used with the signature file).
- Status Endpoint URL : returns the database's most recent update timestamp.
Our databases are refreshed daily and weekly, ensuring you always have access to the most current data. Each time your subscribed dataset is updated, you'll also receive an email notification so you don't miss a release.
For automated workflows, you can check our status endpoint to see the last update timestamp. When the date changes, simply re-fetch the archive using your static download URL to pull the latest version into your system.
