VPN & Datacenter IPs

Websitehttps://github.com/X4BNet/lists_vpn
CategoryThreat Intelligence

This dataset identifies IP ranges belonging to known VPN providers and datacenter hosting infrastructure. Sourced from the X4BNet project on GitHub, it catalogs address space used by commercial VPN services, cloud hosting providers, and colocation facilities. We use this data on robtex.com and rbls.org to flag IPs that are likely proxied through VPN services or originate from hosting infrastructure rather than residential or corporate networks.

Source:VPN & Datacenter IPs

What is the VPN & Datacenter IP List?

The X4BNet project maintains curated lists of IP ranges associated with two categories of infrastructure:

VPN Providers - Commercial VPN services like NordVPN, ExpressVPN, Mullvad, Surfshark, and dozens of others operate large pools of IP addresses that their customers share. Traffic from these IPs is being routed through the VPN provider rather than originating from the user's actual network. The list covers:

  • Major consumer VPN services
  • Corporate VPN gateways with known IP ranges
  • Proxy services and SOCKS providers
  • VPN-as-a-service infrastructure on cloud platforms

Datacenter and Hosting - IP ranges allocated to datacenters, cloud providers, and hosting companies. Traffic from these ranges typically comes from servers, bots, or automated systems rather than human users browsing from home or office networks. This includes:

  • Major cloud providers (AWS, Azure, GCP, DigitalOcean, OVH, Hetzner)
  • Colocation facilities and dedicated server providers
  • Content delivery networks
  • Smaller regional hosting companies

The distinction between datacenter and residential traffic matters for fraud detection, bot management, and understanding the nature of connections to your services. A login attempt from a known datacenter IP when the account normally connects from residential addresses is a meaningful anomaly.

The X4BNet project compiles this data from BGP routing information, WHOIS records, and community contributions, with regular updates as providers acquire new address space.

How We Use This Data

On IP lookup pages across robtex.com and rbls.org, we check whether a queried IP falls within known VPN or datacenter ranges. If it does, we display an indicator showing the category (VPN, datacenter, or both) and, where available, the specific provider name.

This classification adds important context to other reputation signals. An IP flagged by abuse lists that also belongs to a known VPN provider tells a different story than the same flags on a residential IP. The VPN IP might simply be carrying mixed traffic from many users, while the residential IP might indicate a compromised device.

For security teams investigating suspicious traffic, knowing that an IP belongs to a datacenter or VPN helps prioritize response. Automated scanning from a datacenter IP is expected behavior in many contexts, while the same scanning from a residential IP is more likely to indicate compromise.

FAQ

Does being flagged as a VPN or datacenter IP mean the traffic is malicious?
Not at all. Millions of people use VPNs for legitimate privacy, accessing geo-restricted content, or securing connections on public WiFi. Similarly, most datacenter traffic is legitimate server-to-server communication, API calls, and automated services. The classification helps you understand the nature of the traffic source, not its intent.
How accurate is VPN provider detection?
Detection is based on known IP ranges allocated to VPN providers, which is generally reliable for major commercial VPNs. However, some VPN providers rotate IPs frequently or use residential IP pools that are harder to identify. Self-hosted VPNs on personal cloud instances may be classified as datacenter traffic but not specifically as VPN traffic.
Why would I care whether traffic comes from a datacenter versus a residential network?
The distinction is important for fraud detection, bot management, and access control. For example, an e-commerce site might flag orders from datacenter IPs for manual review, since legitimate shoppers rarely browse from cloud servers. A login from a datacenter IP when the account history shows residential connections could indicate credential theft. On robtex.com and rbls.org, this context helps you interpret other reputation signals more accurately.