← Back to Blog

IP INTELLIGENCE: WHAT AN IP ADDRESS ACTUALLY REVEALS

Published: 2026-05-24

THE FIVE QUESTIONS AN IP ADDRESS ANSWERS

An IP address alone is just a 32-bit or 128-bit number. Against public data sources, it becomes an anchor for five distinct intelligence dimensions. Understanding what each dimension can and cannot tell you is the foundation of reliable IP-based OSINT — and knowing the limitations prevents the analytical errors that produce false attribution.

1. Physical location. Country-level accuracy is near-perfect for routable public IPs — geolocation databases disagree on country for fewer than 0.5% of addresses. City-level accuracy degrades sharply: for residential IP addresses, the best databases resolve to the ISP's hub city or network operations center, which may be 50–200 miles from the actual user's location. For datacenter IPs, city-level accuracy is much higher because the hosting company registers their block at a fixed physical location.

2. Network operator. Every public IP belongs to an organization that registered the IP prefix with a regional internet registry (ARIN, RIPE, APNIC, LACNIC, AFRINIC). The registration record names the ASN holder. This tells you who routes the traffic — which may be a cloud provider, an ISP, a CDN, a university, or a corporation's own network.

3. Infrastructure type. Is this a residential broadband address? A datacenter or VPS? A known VPN exit node? A Tor exit relay? A proxy service endpoint? Infrastructure classification is increasingly accurate as commercial providers maintain continuously updated lists of VPN/proxy/datacenter IP ranges.

4. Abuse history. Has this IP been reported for spam campaigns, brute-force attacks, C2 communication, port scanning, or credential stuffing? Aggregated threat intelligence from honeypots, security teams, and network operators provides a historical abuse record.

5. Reverse DNS. What hostname does this IP present in PTR records? Reverse DNS is voluntary and unverified — anyone can set any PTR record — but datacenter IPs frequently carry meaningful reverse DNS (e.g., ec2-54-214-19-20.us-west-2.compute.amazonaws.com) that confirms provider and region.

GEOLOCATION ACCURACY AND ITS LIMITS

IP geolocation works by correlating IP prefix registrations with probe measurements, CDN logs, user-submitted data, and network topology analysis. The fundamental accuracy constraint is that IP blocks are assigned to organizations, not to specific physical locations.

A major ISP like Comcast holds IP blocks allocated to their network. The ARIN registration gives a corporate address — their headquarters or NOC. The actual customer using that IP may be anywhere in the ISP's service territory. For Comcast, that's most of the US. MaxMind and similar providers use measurement infrastructure to narrow down which city a given prefix actually serves, but this is probabilistic inference, not precise location.

The critical analytical failure mode: geolocating a VPN user gives you the VPN exit node, not the user. If a target's IP geolocates to Amsterdam, and that IP is flagged as belonging to a VPN provider's AS, the only information you have is that the target used a VPN with a Dutch exit node. Their physical location is unknown. This is the most common IP intelligence mistake in non-technical reporting.

Legitimate geolocation interpretation: use it to classify infrastructure (US datacenter vs. Russian residential vs. German cloud provider), not to make precise physical claims about individuals.

ASN LOOKUPS AND INFRASTRUCTURE CLASSIFICATION

Every publicly routable IP belongs to an Autonomous System identified by an ASN. The AS number directly links to the organization registered as its holder in the regional internet registry. Key ASNs to recognize immediately:

An IP in AS14061 or AS20473 is definitively a rented VPS or dedicated server — not a residential end user. An IP in a small regional ISP's AS (AS22773 = Cox Communications, AS11486 = Verizon residential) is almost certainly a broadband subscriber. This classification is more reliable than geolocation for determining whether you're looking at a person's internet connection or a piece of attack infrastructure.

Look up ASN data directly:

# Using ipinfo.io API (free tier available)
curl https://ipinfo.io/198.51.100.1/json

# Response includes:
# "org": "AS14061 DigitalOcean, LLC"
# "city": "Toronto"
# "country": "CA"

# Team Cymru WHOIS (free, high quality)
whois -h whois.cymru.com " -v 198.51.100.1"
# Returns: ASN | IP | BGP Prefix | CC | Registry | Allocated | Info

Automating these API calls across a list of IPs is straightforward — the ipinfo.io batch endpoint accepts up to 1,000 IPs per request.

ABUSE HISTORY AND REPUTATION SCORING

IP reputation databases aggregate reports from security operations centers, honeypot networks, spam traps, and automated abuse detection systems. The most useful public sources:

AbuseIPDB maintains reports submitted by the security community. Each report includes a timestamp, the submitting organization's category (SSH brute force, port scan, spam, C2, etc.), and optional comment. The API returns an abuse confidence score from 0–100%, calculated from report volume, recency, and reporter diversity. A score above 50% indicates reports from multiple independent sources — this threshold is meaningful. A score of 80%+ with recent reports is strong evidence the IP is actively used for malicious activity.

OpenOSINT's search_abuseipdb tool queries the AbuseIPDB v2 API and surfaces: confidence score, total report count, country code, ISP, usage type (data center, residential, etc.), domain, and the timestamp of the most recent report. This integrates into the AI agent loop so Claude can reason about whether a reported IP represents current threat activity or historical noise.

VirusTotal's IP report shows detection verdicts from security vendors, passive DNS records showing which domains have resolved to this IP, files downloaded from the IP, and SSL certificates presented by the IP. This is complementary to AbuseIPDB — VirusTotal captures malware delivery and C2 patterns that AbuseIPDB's community reporting may miss.

$ openosint abuseipdb 198.51.100.1
[AbuseIPDB] IP: 198.51.100.1
[AbuseIPDB] Abuse Confidence Score: 82%
[AbuseIPDB] Total Reports: 94
[AbuseIPDB] Last Reported: 2026-05-20
[AbuseIPDB] Country: DE | ISP: Hetzner Online GmbH
[AbuseIPDB] Usage Type: Data Center/Web Hosting/Transit

COMBINING MULTIPLE SOURCES FOR CONFIDENT ATTRIBUTION

No single IP intelligence source is authoritative. Geolocation databases disagree. AbuseIPDB may be sparse for newer malicious IPs. VPN detection lists lag behind newly provisioned exit nodes. The methodology that produces reliable intelligence layers multiple sources and looks for convergent signals.

The three-source stack used in OpenOSINT:

Consider an IP that ipinfo.io places in the US, IP2Location flags as a VPN endpoint with high threat score, and AbuseIPDB scores at 75% confidence with 40 recent port scan reports. The convergence of three independent sources — provider classification, VPN detection, and community abuse reports — makes a strong case that this is threat infrastructure rather than a legitimate user. No single source would be as convincing alone.

$ openosint ip2location 198.51.100.1
[IP2Location] Country: US  | City: New York
[IP2Location] ISP: M247 Europe SRL
[IP2Location] VPN: Yes  | Proxy: No  | TOR: No  | Datacenter: Yes
[IP2Location] Threat Score: high

For IP reputation investigations, especially in incident response contexts where an IP appears in logs, the three-source stack gives you enough signal to classify the address within seconds — and feeds the full context into OpenOSINT's AI agent for narrative synthesis.

SEE ALSO

Home · Blog · Tools · GitHub