Home > Programming, Servers & Scripts >

How to Detect VPN / Corporate IP Ranges? (9)

09-24-2014 03:36 PM #1 Adamw (AMC Alumnus)
How to Detect VPN / Corporate IP Ranges?

Do any of you PHP or server guru's know how to detect a corporate IP or a VPN IP?

A thousand thanks if you do and wouldn't mind sharing! Feel free to PM as well!

09-24-2014 05:06 PM #2 IanAtSTM (Member)

You could try a geoIP database for this. Something along the lines of https://www.maxmind.com/ or http://db-ip.com/ , perhaps.

If it's being done through a corporate that's got it's own range of IP addresses, and they're actually using one of the IP addresses within that range, you may well have some luck with this approach.

Maxmind has a 'detect proxy' function that will work with known VPNs, however you won't catch all of them that way. If someone's set up a VPS as a proxy, then it'll just detect that VPS - as is so often the case, it all depends on how evasive - and how savvy - the person on the other end is.

09-25-2014 01:02 AM #3 zeno (Administrator)

A corporate IP is not different from any other IP, other than that the range may be listed as corporate or associated with a business in some database that you can use.

Hence, you'll probably have to use a GeoIP database as Ian suggested.

How exactly would you like to implement this? For automatic redirection? For logging?

09-25-2014 05:22 AM #4 Adamw (AMC Alumnus)

Thanks guys!

Zeno - it is for auto redirections.

09-25-2014 12:25 PM #5 zeno (Administrator)

Hmmm, I think only a few GeoIP solutions offer detection of registering organisations, which is what you would need - though I'm not sure if it would be possible to sensibly redirect based on the results.

The three I know of are db-ip, Maxmind and Neustar.

09-25-2014 01:35 PM #6 jimmymob (Senior Member)

If you use Voluum, you can take advantage of their rules and you might be able to work this backward, as in target all the major 'home' ISPs, only allowing ISPs that aren't Comcast, Cox, Brighthouse, AT&T, etc. I found a list of the top 50 ISPs in Google a whle back and used that as a baseline, then filtered out others that I didn't want as they came to the page.

09-26-2014 12:10 AM #7 zeno (Administrator)

Quote Originally Posted by jimmymob View Post
If you use Voluum, you can take advantage of their rules and you might be able to work this backward, as in target all the major 'home' ISPs, only allowing ISPs that aren't Comcast, Cox, Brighthouse, AT&T, etc. I found a list of the top 50 ISPs in Google a whle back and used that as a baseline, then filtered out others that I didn't want as they came to the page.
That's definitely a practical approach!

09-26-2014 01:56 AM #8 atom64 ()

Quote Originally Posted by jimmymob View Post
If you use Voluum, you can take advantage of their rules and you might be able to work this backward, as in target all the major 'home' ISPs, only allowing ISPs that aren't Comcast, Cox, Brighthouse, AT&T, etc. I found a list of the top 50 ISPs in Google a whle back and used that as a baseline, then filtered out others that I didn't want as they came to the page.
problem is that comcast and some others have business services aswell offering servers, also this way you need lists of ISP of every country you have traffic in

09-26-2014 02:21 AM #9 redrummr (Member)

Buttoned up, what are you using this for?

Using jimmymob's approach would create a bleed problem.
The first bleed rate is corporate visits: a lot of people browse at work, many people buy things, they even back out visiting flogs at work. Why would corporate users not back out for you? Are you doing adult dating? If so, how do you tell your traffic source not to charge you for those clicks? I don't think you can. I suppose blocking them might be good, but who is clicking on x-rated ads at work? I've never had to implement this to avoid reports on my x-rated FB landers... because no sane person is clicking on ads with pics of girls at work.

It must be said now, that company visits are also often in the namespace of their ISP serving them. Meaning they are not always advertised as "McDonalds" but instead "ISP-name".

The second bleed rate would be probably 3% or more, and this would encapsulate ISPs not in your list. Especially in the US, there are probably thousands of regional ISPs especially delivering cell-to-home signal. I just read on reddit about one guy setting up his own ISP to serve a particular town. Admittedly, if you work on your approach (top 50 ISPs in the country) and manually inspect the filtered visits over the first few days, you can create some other manual rules and include more of the real ISPs are vetting them.

If Voluum is probably using a commercial (Maxmind or other) company/org database, and this may not be compatible with your specific intent, as there is a lot of movement, telephone exchange equipment (DSLAMs etc.) subletting and other things happening in the ISP space. Voluum would not use the live hostname (most accurate, and you can parse this easily to reveal the current and true organisation/source) because of the fetch (60-200ms additional). No cloaker or tracking service would use this due to the expensive turnaround.

So the main question for OP: do you want to filter people at work, or just filter spies/affiliates using VPNs? If the former: are you sure corporate/company visits don't back out?

Home > Programming, Servers & Scripts >