Risk-DB

Websitehttps://github.com/O-X-L/risk-db
CategoryThreat Intelligence

Risk-DB is a network classification project maintained by O-X-L (OXL) that categorizes Autonomous System Numbers and IP networks by their operational purpose. Rather than labeling networks as simply "good" or "bad," Risk-DB tags them with functional categories such as hosting, VPN, proxy, residential, ISP, CDN, and education. We use this data on robtex.com and rtsak.com to provide network context on AS and IP lookup pages.

Source:Risk-DB

What is Risk-DB?

Understanding whether an IP address belongs to a residential ISP, a cloud hosting provider, or a VPN service is fundamental to interpreting network traffic. Risk-DB provides this classification at both the ASN and network prefix level, covering a significant portion of the routable internet.

The categorization includes:

  • Hosting - Cloud providers, dedicated server companies, colocation facilities, and virtual private server providers
  • VPN - Networks operated by or primarily used by commercial VPN services
  • Proxy - Residential proxy networks, SOCKS providers, and proxy-as-a-service infrastructure
  • ISP - Consumer and business internet service providers delivering connectivity to end users
  • Residential - Address space specifically allocated for residential broadband connections
  • CDN - Content delivery networks and edge computing platforms
  • Education - University networks and academic research institutions
  • Government - Government agency networks
  • Financial - Networks operated by banks and financial institutions

The project draws from BGP routing data, WHOIS records, PeeringDB information, and manual research. It is maintained as an open-source dataset, with contributions from the network security community.

What makes Risk-DB particularly useful is its granularity. A single ASN might contain both hosting and VPN IP ranges. Risk-DB can tag specific network prefixes within an ASN differently, providing more accurate classification than ASN-level labeling alone.

How We Use This Data

On robtex.com and rtsak.com, AS and IP lookup pages display Risk-DB classifications alongside other network metadata. When you look up an ASN, you see its functional category. When you look up an IP, you see the classification of the specific network prefix it belongs to.

This classification provides essential context for security analysis. A port scan originating from a hosting-classified network is expected behavior (many legitimate services run automated checks), while the same scan from a residential network is more suspicious. Login attempts from a VPN-classified network are worth scrutinizing differently than those from an ISP network.

The data also helps with traffic analysis at scale. Organizations can categorize their inbound traffic by network type to understand what proportion comes from hosting infrastructure (likely automated), VPN services (possibly privacy-seeking or evasive), and residential networks (likely real users).

FAQ

How is Risk-DB different from just looking up the ASN name?
ASN names can be misleading or uninformative. A hosting company might have a generic corporate name, or a VPN provider might register its ASN under a holding company. Risk-DB provides functional classification based on actual network usage, not just registration details. It also classifies at the network prefix level, which matters because large ASNs often serve multiple functions.
Can a single ASN have multiple Risk-DB categories?
Yes. A large telecommunications company might have prefixes classified as ISP (consumer broadband), hosting (their datacenter division), and CDN (their content delivery infrastructure). Risk-DB handles this by classifying individual network prefixes rather than just ASNs, so different parts of the same ASN can receive different tags.
Why does network classification matter for security?
The same behavior means different things depending on the source network type. High-volume HTTP requests from a CDN network are normal content delivery. The same pattern from a residential network suggests a botnet. SSH connections from a hosting network are expected (server management). SSH connections from a residential proxy network are suspicious. Risk-DB provides the network context needed to make these distinctions automatically.