The Anatomy of an IP Address: What IP Intelligence Reveals About Online Activity

The simple string of numbers (and sometimes letters) that allow a device to connect to the internet conveys so much hidden information and meaning. Malign actors hide behind anonymity services to conduct fraud and execute malicious campaigns, which is why it’s important to understand all the details behind IP traffic.

Let’s break down the attributes of the IPv4 address 89.39.106.191 section by section and explain what each means, why it matters, and how you might use it to detect and defend against malicious activity. As part of this analysis, we’ll define and examine the attributes as, client, infrastructure, location, risks, services, and tunnels. Note: Spur is constantly updating our findings, so don’t be concerned if some attributes have changed since this post; the principles are the same.

“as”: Autonomous System Information

The ASN helps identify who controls the IP address block. With this information you can detect if traffic comes from hosting services, filter traffic, or apply stricter security rules for IPs from known data centers.

What it means:

• as number (ASN) is a unique identifier assigned to an internet service provider (ISP) or network operator.
• organization is the registered owner of that ASN.

“client”: Observed Client Behavior and Patterns

This section describes how the IP is used in practice, for example whether it’s part of a proxy network, shared by many users, or associated with anonymity tools. If many users or countries share an IP it could indicate a proxy or bot farm. With this information you can decide if the IP should be blocked, challenged, or allowed.

What it means:

• behaviors are tags describing user activity on this IP address. For example, “FILE_SHARING” indicates usage of peer-to-peer networks and torrenting.
• concentration is a geospatial and behavioral clustering summary (see the next section for more on this).
• count is the number of concurrent client devices (e.g., unique devices or sessions seen using this IP).
• countries is the number of distinct countries from which associated users originate.
• proxies is the known proxy providers (in this example Proxyrack, Netnut, IPCola, etc.) associated with this IP.
• spread is a numerical measure of how widely the IP is used. Larger numbers imply many unique entities or sessions.
• types is device types observed. Values here can include DESKTOP (standard computers or laptops); HEADLESS (devices or browsers without a standard display); IOT (connected devices such as game systems, smart TVs, streaming sticks, etc.) or MOBILE (phones and tablets).

“concentration”: Geographic and Behavioral Density

This section describes where and how densely client activity is observed. With this intelligence you can detect geo anomalies, like an EU based IP used for activity in Asia, or unusually diverse or concentrated patterns suggesting proxy use. You can use this data to compare with user-claimed locations, triggering risk alerts when the IP’s actual location doesn’t match expected geography.

What it means:

• density is the proportion of activity originating from that area. This is represented by a 0–1 scale.
• geohash is an encoded geographic grid reference.
• skew is a directional bias or diversity measure in IP usage. The higher the skew value can indicate irregular usage, for example traffic not matching typical local patterns.

“infrastructure”: Network Environment Type

This section categorizes the underlying network. Intelligence in this area can help to establish rules for blocking, throttling, or allowing IPs based on infrastructure type.

What it means:

Values can include:

• DATACENTER: Generic datacenter or VPS environment.
• MOBILE: Infrastructure for mobile networks (e.g., 4G/LTE).
• SATELLITE: Long range satellite-related infrastructure. IP Location is often distinct from physical location.
• IN_FLIGHT_WIFI: Infrastructure related to airline transit. IP Location is often distinct from physical location.
• GOOGLE: Infrastructure hosted by Google that pools and routes traffic from public Wi-Fi spaces and untrusted mobile networks.

“ip”: The Actual IP Address

This section is simply the IP being analyzed. It is included for reference or correlation.

“location”: Registered or Observed Geolocation

Geolocation is used to detect geographic anomalies (e.g., logins from unexpected places) and enforce geo-fencing or regional compliance. In a real-world context, use this to compare against user location claims, shipping addresses, or historical activity as a measure of fraud detection.

What it means:

The physical location associated with the IP (either from WHOIS or geolocation data).

“risks”: Known or Predicted Threat Types

This information provides a direct risk assessment for decision-making. For example, you can use this data to block or rate-limit scraping/tunneling or log or monitor suspicious sessions for later analysis.

What it means:

Flags assigned by the system based on known behaviors. These can include:

• CALLBACK_PROXY: Network can route traffic for residential or malware proxies.
• GEO_MISMATCH: The datacenter or hosting location differs from the location of its users.
• LOGIN_BRUTEFORCE: Persistent login attempts against web forms detected.
• TUNNEL: Exit point for an anonymizing VPN/proxy/tunnel. Traffic is likely associated with this service.
• WEB_SCRAPING: Automated or headless web scraping activity.

“services”: Active Network Services or Protocols

Information here helps confirm VPN or proxy infrastructure. Detected protocols on this IP suggest it’s running VPN or secure tunneling services. This is useful for distinguishing between legitimate and anonymized traffic. Using this information, you can flag for additional verification or captcha or recognize VPN exit nodes to treat them accordingly.

What it means:

Services can include:

• HTTP: Standard hypertext transfer protocol for web traffic.
• IPSEC: Encrypted IP security protocol suite.
• L2TP: Layer 2 Tunneling Protocol for secure VPN connections.
• OPENVPN: Popular open-source VPN protocol.
• PPTP: Point-to-Point Tunneling Protocol for older VPN connections.
• SHADOWSOCKS: Secure proxy protocol built for censorship circumvention.
• SOCKS: Proxy protocol that relays TCP/UDP traffic.
• VMESS: Encryption/transport protocol used by V2Ray.
• V2RAY: Platform supporting encrypted traffic and multiple protocols.
• TROJAN: Encrypted proxy protocol designed to imitate HTTPS.
• WIREGUARD: Modern, high-performance VPN protocol.
• PROPRIETARY: Non-standard or private/closed-source protocol.

“tunnels”: Active or Historical VPN/Tunnel Information

This section identifies exact anonymity networks behind a request, including detailed metadata about a detected VPN or tunnel. You can use this data to enforce stricter login rules when VPNs are involved, or whitelist specific VPNs if used legitimately (e.g., corporate access).

What it means:

• anonymous indicates that traffic hides the real user.
• entries / exits are internal nodes of the VPN infrastructure.
• operator is the known provider (e.g., NordVPN).
• type is the kind of tunnel (VPN, SOCKS, TOR, etc.).

How to Use IP Intelligence

VPN and residential, ISP, and mobile proxy services provide millions of clean IP addresses that bad actors take advantage of everyday to route their malicious traffic for fraud and intrusion campaigns. Security, threat hunting, and fraud teams use IP intelligence to detect and defend their digital platforms from the risk of anonymized VPN and residential proxy traffic.

• Monitor risks, behaviors, and infrastructure for fraud and abuse detection, blocking or applying friction to suspicious traffic.
• Examine attributes such as location and concentration for geolocation verification, comparing results with expected location for compliance and content purposes.
• Assess tunnels, services, and proxies to tag anonymizing services.
• Analyze as, spread, and types to measure user diversity or identify potentially suspicious automation for investigations.

How Spur Helps

Spur delivers the highest-fidelity IP intelligence available to detect anonymized, proxied, or otherwise obscured internet traffic, empowering you to stop fraud, fake users, and threats. Designed by expert security researchers and engineers, Spur elevated VPN attribution, bot detection, and residential proxy tracking to defend the most mission-critical government and commercial systems in the world.

What differentiates Spur from other providers?

• Breadth of Coverage: Spur delivers more comprehensive detection than anyone else in the market, covering 60 million+ active anonymous IPs, and 1,000+ active VPN and proxy services.
• Depth of Attributes: Spur provides more than 20 attributes, including geo location, ASN, proxy/VPN status and attribution, device type, connection type, tunnel entry/exit context — not opaque scoring (more than a number).
• Residential Proxy: Spur is the only source that delivers insights into residential proxies, mobile IPs, and botnets where traditional providers fall short.
• High-Fidelity Data: Spur delivers real-time data that is accurate, fresh, and actionable, focusing on transparency and trust with low false-positive.
• Historical Data Access: Delivers access to historical records dating back to 2020.
• Results in Minutes: Spur delivers fast onboarding, clear documentation, and responsive support for engineers and analysts.

To experience our high-fidelity IP intelligence in action, sign up for a free trial or contact us for pricing today.