What is an IP Trace Tool?

IP tracking tools allow you to learn more about an internet user based on their IP address. It’s a form of data enrichment: you start with a single data point (an IP address) to collect additional information.

There are dozens of different IP tracking tools out there. Some check proxies, while others look to see if an address appears on a blacklist. IP tracking is also known as IP address tracking, IP lookup, IP checkers, or even IP analytics.

With IP tracking you can identify traffic generated by bots, detect connections between users or determine how risky a transaction is. It is ideal at the onboarding phase, during user login, or at the purchase phase.

Why perform an IP check?

IP tracking tools provide a wide range of information. For some, this information is useful during an OSINT investigation. For others, it serves to reduce the possibility of dealing with fraudsters or other wrongdoers.

However, most IP scans tend to be done by technical teams in the context of systems administration or security research.

What data can you collect from an IP trace?

Without getting into the technical details, here is the kind of information you can get after enriching the data from an IP trace:

IP Address Validity

A simple ping test of an IP will reveal to you whether or not the address is receiving data. In simple terms, it is about checking if the IP address is valid.

The ping test response time should be fast (less than 10 ms). Anything over 100ms could show that there are problems with that connection, including the fact that it is traversing proxies and nodes (see below).

Blacklist verification

Hundreds of email servers around the world collaborate to maintain lists of fraudulent, dangerous, or spammy IP addresses. This IPs is collected in the DNSBL (Domain Name Blacklist) and RBL (Real-time Blacklist), among other lists.

It’s easy enough to check if an IP address appears on any of these lists. If they appear, it should be a cause for alert as they have probably been used previously to send spam via email.

Proxy server detection

Proxy detection lets you know if a user is hiding their IP address using a proxy, VPN (Virtual Private Network), or Tor node. These types of connections are designed to circumvent geographical restrictions or keep the user anonymous.

Although not necessarily pointing to fraudulent activity, this should increase the risk levels of dealing with this user. Some users connect through proxies for privacy reasons. However, others hide their IPs to deliberately mask their true identity online.

IP hostname and domain

Every IP address is connected to a hostname and a domain. By using a reverse DNS lookup, you can query DNS servers to get a PTR (pointer) record, which stores IP addresses.

This works for two reasons:

• As an additional layer of information that can be used for troubleshooting network issues, identifying spam emails, or entering more user details as part of a fingerprint analysis process.
• Second, you can also find out if a connection is hidden for anonymity reasons or if other websites are also hosted on the same DNS.

Geolocation

IP addresses are issued by internet service providers or Internet Service Providers (ISPs), who randomly select them from their range. That range of potential IP addresses is tied to a rough geographic location. By doing a quick check, you can get an idea of ​​where someone is connecting from.

Keep in mind that location accuracy varies from one ISP to the next. Things get even more complicated with mobile device IPs, which can change dynamically as the user connects through different mobile towers which can lead to one IP being assigned to multiple devices and real users at the same time, when server workload is heavy. You can read about this in our guide to mobile proxies.

Still, getting an idea of ​​a user’s geolocation has many benefits, even if you should have reservations about the results.

It is possible to pinpoint a place in the world with incredible precision, but it is also possible to be wrong by a large margin, especially when dealing with people who do not want to be located.

WHOIS information

WHOIS is a response protocol designed to identify the owners of an IP address. Every IP address on the internet is managed by one of five internet registration organizations:

• African Network Information Center (AFRINIC): for African IP addresses
• American Registry for Internet Numbers (ARIN): IP addresses for the United States, Canada, and several Caribbean and North Atlantic islands
• Asia-Pacific Network Information Center (APNIC): IP addresses for Asia, Australia and neighboring countries
• Latin American and Caribbean Network Information Center (LACNIC): IP addresses for Latin America and parts of the Caribbean region
• Reseaux IP Europeens Network Coordination Center (RIPE NCC): IP addresses for Europe, the Middle East and Central Asia

This is useful to confirm geolocation information that you already have or to identify data discrepancies. It can also point to the owner of a website, as you can look up WHOIS services by name, which is an additional data point to work with.

Open port verification

Proxy servers and computers that act as servers tend to have at least one port open. If you know what port this is, you can identify the server and its risk rate.

For example, we know that some unscrupulous proxy providers resell hacked SSH connections where port 22 is always open.

If you can identify that port 22 is open, you can start raising alerts. It may not necessarily mean you’re dealing with a bad guy, but it’s useful information to have as part of your digital profiling process.

How to trace an IP?

There are two methods in which an IP lookup tends to be performed:

• Manual review: You identify the IP address and run the code yourself. You can also paste it into a dynamic online tool (which just runs the code for you). This is great for one-off reviews.
• Third party services: Since you can extract a lot of information from IPs, there are some online services that allow you to run all the checks at the same time. These tend to be paid services. You can import these IP lists or connect to the service through APIs.

Can I trace an IP address?

Yes. An IP address can reveal a lot about the person connecting to it, such as their geolocation, internet service provider, and more. Please note that VPNs and proxies are designed to spoof IP addresses, so the results could be wrong.

Is tracking an IP legal?

Yes. IP addresses are considered public domain. Any IP tracking tool that derives information from these addresses is legal and GDPR compliant.

Where does the IP trace data come from?

IP tracking data is found in ISP databases, public blacklists, and proprietary databases. For example, some companies create their own lists of suspicious IP addresses, which they identify by creating honeypots.