DGL 2310 IPAddAnVPN

White Paper
The Definitive Guide to

Understanding IP Addresses
and VPNs and Implications
for Businesses
www.digitalelement.com
White Paper
Table of Contents
1. Introduction��3
Types of IP Addresses ��3
Business Use Cases for IP Address Data��3
Chapter Summary��5
2. The Evolution of IP Geolocation Data ��6

How IP Addresses are Assigned to Countries ��6
The IP Address Landscape: IPv4 & IPv6��7
How do ISPs Decide Which Protocol to Adopt?��9
IPv6 Tunneling (6to4) and Teredo (4to6)��9
Network Address Translation (NAT) ��9
NAT vs Carrier Grade NAT (CGNAT)�� 10
Chapter Summary�� 12
3. IP Address Geolocation Reliability and Vulnerabilities��13

Digital Element’s Growth vs Market Evolution �� 14
Limitations of IP Address Geolocation Data�� 16
Distinguishing Between Fixed and Mobile IP Addresses �� 16
What Role Does Internet Routing Play in Geolocation? �� 17
4. How IP Addresses are Allocated��19

IP Address Allocation to Global Regions �� 19
IP Address Allocation to ISPs & Larger Companies�� 19
How ISPs Assign IP Addresses �� 20
IP Characteristics (IPC) �� 25
Why is the IPC dataset vital in many use cases? �� 25
5. VPN Market��28
Evolution of the VPN Market Over the Last 20 Years�� 28
Maturity of the VPN Market�� 28
VPNs on a Spectrum of Benign to Malicious�� 33
Other Context Related to IP Addresses Associated With VPNs�� 34
IP Address and Forensics�� 36
Proxy vs. VPN vs. Darknet �� 36
Proxy IPs and Their Significance �� 36
Residential Proxy IPs�� 36
Detecting Residential Proxy IPs �� 37
NetAcuity (IP Address Geolocation Database)�� 37
IPC (IP Address Context Database)�� 37
Nodify (VPN, Proxies, Darknet Database)�� 38
What are Darknets and How do They Work?�� 39
6. Parting Thoughts: The Future of IP Geolocation Data ��41

5G Impact on IP Geolocation Data �� 41
IPv6 impact on IP Geolocation Methodology�� 41
IoT and IP Addresses�� 42
Mass Adoption of VPNs�� 42
Conclusion�� 43
www.digitalelement.com 2
White Paper
1. Introduction
What exactly is an IP address? IP stands for ‘Internet Protocol,’ which comprises a set of rules governing the format of
all data sent via the internet. An IP address is a unique identifier for an internet-connected device, including computers,
mobile phones, connected TVs, or smart refrigerators. Without these protocols, the internet would be unable to distinguish
one device from another, leading to misdirected data.
Types of IP Addresses
Based on the description of IP addresses above, one can be led to believe that it is a very straightforward topic, but it is
actually quite complex. The complexity stems from a number of reasons, beginning with the fact that there are multiple
types of IP addresses, each of which are assigned a unique range.
Private IP address IP addresses that can only be used by devices (aka “hosts”) on the same network, such as a corporate
network. These are non-internet routable, and are clearly defined in RFC6761, also known as the Request For
Comment, which is the main standards setting body for the internet.
Public IP address IP addresses that are internet routable, meaning they can be reached from any device/machine in the world,
(aka internet routable addresses) and are clearly defined in RFC1366, aka “Guidelines for Management of IP Space.”
Fixed IP address IP addresses that are routed via cable, DSL or fiber infrastructure for internet connectivity, assigned to non-
mobile devices. Fixed IP addresses can be both static and dynamic (see below).
Mobile IP address IP addresses that are routed via cell tower infrastructure for internet connectivity assigned to mobile
devices. Mobile IP addresses are always dynamic IP addresses.
Static IP address IP addresses that have a consistent geolocation, meaning at the time it is analyzed, its geolocation is the
same as previously identified. Static IP addresses are likely tied to the same building(s) if within an
ISP block.
Dynamic IP address IP addresses whose geolocations change frequently. They’re dynamic because they can service different
end users at any given moment. Dynamic IP addresses are common in ISP, mobile carrier and proxy blocks
because end users fluctuate within a given area.
For more on Fixed vs Mobile IP addresses, jump to the “Distinguishing Between Fixed and Mobile IP Addresses” section of
this paper.
Business Use Cases for IP Address Data

By themselves, IP addresses don’t tell us much about the device or user behind it. Fortunately, Digital Element has a
wealth of insight and knowledge of how IP addresses are assigned. This allows us to glean extensive context around IP
addresses, which marketers, security teams, data analysts, and other stakeholders can use to make decisions.
White Paper
The most common business use cases for IP address intelligence are:
Fraud and Security - Understanding where a device accessing a network is coming from to determine if the user masking
their location to commit fraud or other nefarious activity.
Localizing content - Using knowledge of IP address location information to provide better customer experience through
language, currency, and other user preferences.
Legal and Licensing compliance - Compliance with regulated internet activities or services like gambling, or to ensure the
distribution of content adheres to copyright or licensing restrictions.
Advertising Yield Optimization - Improving ad conversion rates by targeting through geolocation and other data; growing
addressable market by accurately targeting new geographic markets; optimizing campaigns using localized target
segments, and many other similar use cases.
Analytics - Increasing value of publishers’ audience segments by including geographic regional data associated with traffic
to websites; and improving internal understanding of a company’s customers and to refine operations.
The types of context in this data includes:
ϐ Geolocation data (country, city, ZIP/postal code)
ϐ Approximate longitude/latitude
ϐ Proxy data (e.g. masked IP data that can be used by fraudsters)
ϐ VPN provider
ϐ Mobile, static, dynamic
ϐ Company name that owns that IP address
ϐ Organization name, which is the organization associated with an IP’s corresponding WHOIS range
ϐ And much more...
In many cases companies have additional data that can be used in combination with this data to augment insights and
support informed decision making.
For example, IP data is very useful in a wide range of corporate security use cases where IT may have device-level data,
like the user agent string or login credentials that can be combined with IP address data to support decision making
relative to authenticating users.
White Paper
Chapter Summary
This chapter introduced the concept of the Internet Protocol (IP) addresses. To summarize, an IP address is a unique
identifier assigned to an internet-connected device that enables data transmission by following internet protocols. It plays
a critical role in distinguishing between devices and ensuring accurate data routing.
Despite its apparent simplicity, the topic of IP addresses is complex due to the existence of multiple IP address types,
each assigned a unique range. Businesses can leverage IP address data for a number of different purposes, including
enhancing fraud and security measures, localizing content for improved user experiences, compliance with legal and
licensing requirements, optimizing advertising yield, and gaining valuable insights by augmenting existing data sets and
enhancing analytics. IP address data includes geolocation information, proxy data, VPN details, and more, empowering
businesses to make informed decisions and improve various aspects of their operations.
The next chapter will discuss the evolution of IP addresses.
White Paper
2. The Evolution of IP Geolocation Data

The beginning of the Internet Protocol (IP) dates back to 1973, when Robert Elliot Kahn and Vint Cerf designed the
Transmission Control Protocol (TCP). The goal of this protocol was to allow academics and scientists to share data easily
by sending it from one computer directly to another computer. IP addresses were bundled into the TCP protocol. A few
years later, Jon Postel, editor of Request for Comment (RFC) 1, split TCP and IP into two distinct operating layers.
The protocol gained traction when the U.S. Department of Defense announced its use of TCP/IP as the standard for all
military computer networking. The DoD’s adoption of TCP/IP gave it considerable credibility, enabling it to emerge as the
dominant protocol for networking.
How IP Addresses are Assigned to Countries

The Internet Assigned Numbers Authority (IANA) is responsible for coordinating IP addressing systems across the globe
as well as the Autonomous System Numbers (ASNs), which are used for routing internet traffic. An ASN is a unique
identifier assigned to a network or a group of networks that are under a common administrative control.
ASNs are used by the Border Gateway Protocol (BGP) to identify and exchange routing information between different
autonomous systems on the internet.
Essentially, the IANA assigns pools of unallocated addresses to regional registries known as Regional Internet Registries
or RIRs. Each RIR is assigned a pool of IP addresses according to their needs. The RIR then assigns the IP address blocks
to a local Internet registry (LIR) or National Internet Registry (NIR), which then assigns them to a Internet Service Provider
(ISP). Sometimes the RIR will assign a block of IPs directly to an ISP.
Figure 1: How IP Addresses are Assigned to Countries
A Constant Evolution
As is the case with all internet standards, the IP address is constantly evolving. The next section describes how the long-
term dominant IP address protocol, Internet Protocol version 4 (IPv4), came about and why it needed to evolve.
1 The Request for Comment is an organization that collects and maintains technical and organizational documents about the internet.
White Paper
The IP Address Landscape: IPv4 & IPv6

Initially deployed in 1983, IPv4 quickly became the dominant set of rules that dictate how the internet communicates. IPv4
was largely developed by the U.S. Department of Defense, as part of its Advanced Research Projects Agency Network
(ARPANET).
ARPANET was a groundbreaking development as it represented the first wide-area packet-switched network with
distributed control, a key feature that underpins the internet. It was also among the earliest networks to implement the
TCP/IP protocol suite. Both packet switching, a method of data transmission, and TCP/IP, a communication protocol,
subsequently became fundamental building blocks of the internet.
There are three parts to an IPv4 IP address:
Network part This is the unique number that is assigned to your network. The network part also identifies the class of network that is
assigned. There are five classes of networks, each of which is assigned a range of IP addresses. In the IPv4 IP address
space, the five network classes are: A, B, C, D and E. Each class has a specific range of IP addresses (and ultimately
dictates the number of devices you can have on your network). Primarily, class A, B, and C are used by the majority of
devices on the internet. Class D and class E are for special uses.
Host part This uniquely identifies the machine (computer, mobile device, smart watch) on your network. The host is the device used
to connect to the internet.
Subnet number Subnet numbers are assigned with a local network that has a huge number of hosts, such as a corporate headquarters
with thousands of users who access the internet each day from their computers, laptops, tablets or phones. In such
cases, the local network will be divided into subnets, and each subnet is assigned a number.
IPv4 met the functional needs of the addressable market of internet users through its early stages of adoption. However,
the rapid adoption curve of internet users created a problem with the number of IPv4 addresses available to match the
growing base of users and their devices.
To avoid this problem, IPv6 was created, and went live in 1996. IPv6 addresses have 64 bits - twice as many bits as IPv4
addresses. That many bits allows 340 undecillion unique addresses (an “undecillion” is a 1 followed by 34 zeros). The
main benefit of IPv6 is that it can support the growth of addressable devices connected to the internet for a very long
time, as it is almost impossible to run out of these addresses.
Sample IP Addresses:
IPv4 192.0.2.146
IPv6 2601:18c:4080:1220:c971:29af:ea1a:a98b
Number of IP Addresses in the World
IPv4 4,300,000,000
IPv6 75,827,654,284,935,200,000,000,000,000,000,000,000
White Paper
There are several important distinctions between IPv6 and IPv4:
ϐ IPv6 is slightly faster than IPv4 in network devices because it

lacks network-address translation or NATdiscussed in-depth on
What happened to IPv5? page 10. Using IPv6 is a better choice for people that require
high speed for their network processing.
The short answer is that it was ϐ IPv6 also reduces the size of routing tables, making routing
never formally adopted as a more efficient and hierarchical by introducing a simpler and
more structured addressing scheme. This reduces the need
standard. IPv5 was an experimental
for complex routing tables and allows for more efficient
standard developed by Apple, NeXT aggregation and condensing of routing information2.
and Sun Microsystems as a way
ϐ Unlike mobile IPv4, mobile IPv6 avoids triangular routing3 and
to stream video and voice. Thus, is therefore as efficient as native IPv6. IPv6 routers may also
the industry jumped from IPv4 to allow entire subnets to move to a new router connection point
without renumbering.
IPv6, leaving IPv5 to serve as the
foundation for technologies like
There are challenges to IPv6 that have been noted. Some have argued
Voice Over IP (VOIP). that IPv6 makes it harder to protect a network against automated
attacks. Logging systems may not work properly, and some devices
do not have the ability to support IPv6 due to their age, hardware
limitations, and/or lack of support.
Probably the largest reason IPv6 adoption has had challenges because
of the cost associated with it. IPv6 adoptrion requires business
personnel time (and potentially education or consulting costs) to
redesign architectures and perform the migration. In addition, some
companies maintain legacy hardware which cannot support IPv6, and
would need to be replaced. Costs aside, legacy hardware is often no
longer in production, yet still a critical infrastructure component, further
complicating an IPv6 migration.
IPv4 is still relevant with NAT and CGNAT however, even though there is
strong IPv6 adoption around the world. It will take many more years for
businesses to switch to IPv6-only equipment when it is not necessary
to make that investment. And if some entities or governments switch
to IPv6, it ends up relieving the congested IPv4 addresses, which then
again obviates the need for the late adopters to adopt, as there will
be plenty of IPv4 then to go around. Therefore, it is likely that the two
standards will coexist for a long time to come.
2 https://radiocrafts.com/what-are-the-advantages-of-ipv6/
3 Triangular routing is a networking term used to describe scenarios in which network traffic takes a
longer route than necessary, by passing through an intermediate network or node before reaching its
final destination and returning through the same path, creating a triangle-like pattern. This can result
in increased latency, congestion, and inefficient use of network resources.
White Paper
How do ISPs Decide Which Protocol to Adopt?

How does an ISP determine when they should adopt IPv6? This is actually a business decision for them. In a White
House Memorandum from 2020, the U.S. Government explained that, “The technical, economic, and security benefits of
operating a single, modern, and scalable network infrastructure are the driving forces for the evolution towards IPv6—only
in the private sector.” In some cases, new ISPs are given little choice as to which version they use, as the IPv4 space is no
longer available to them.
Some ISPs are “dual stack,” meaning the ISP provides both IPv4 and IPv6. Those ISPs are likely to remain dual stack for
the foreseeable future, as IPv4 is not going away any time soon. As a result, dual stack is the only way these ISPs can
continue to provide access to the entire internet for their customers. Therefore, many networks rely on IPv6 tunneling or
Teredo, a transition technology to enable communication between IPv4 and IPv6 to overcome the challenges with
dual stack.
Some countries, including China and India, are starting to operate on IPv6 only, leveraging tunneling to convert IPv6
to IPv4.
Over time, many ISPs have resorted to Carrier Grade Network Address Translation CGNAT (see below) to overcome the
issue of not having enough IP addresses available to them.
IPv6 Tunneling (6to4) and Teredo (4to6)

IPv6 tunneling (6to4) is a method that allows communication between IPv6 networks by encapsulating IPv6 packets
within IPv4 packets, which can then be transmitted over an IPv4 network. It essentially creates a virtual IPv6 network
on top of the IPv4 network. 6to4 exists (and is necessary) as many networks have yet to adopt IPv6 yet, and IPv4 isn’t
capable of handling IPv6 packets.
IPv6 tunneling does not affect IPv4 addresses directly, but it does require them to carry IPv6 packets. This means that
IPv4 addresses are utilized to route IPv6 packets, and the network infrastructure needs to support both IPv4 and
IPv6 protocols.
IPv6 tunneling can look like a proxy because the IPv6 packet is encapsulated within an IPv4 header. This means that the
IPv4 header can be used to hide the IPv6 addresses and create a proxy-like effect. However, IPv6 tunneling is not the
same as a true proxy because the original IPv6 packet is still intact, meaning it isn’t modified by the tunneling process.
Teredo is similar to tunneling except that it gives IPv4-only hosts access to IPv6 address space. It operates with the use of
Teredo relays4. A special feature of Teredo is its ability to operate behind NAT to work unlike 6to4.
With both 6to4 and Teredo, the traffic can act like a proxy given the amount of hosts using the relays. This is the reason
why Digital Element captures the proxy space with its Nodify product and helps companies differentiate this type of
proxy from the rest. Such tunneling is offered by some companies and has different and legitimate use cases for the
user of such tunneling proxy. However it is helpful for the businesses to understand this type of proxy especially in the
cybersecurity space.
Network Address Translation (NAT)

Network Address Translation (NAT) is a technique used in computer networking to enable devices on a local area network
(LAN) with private IP addresses to communicate with devices on the public internet, which requires a public IP address.
NAT works by creating non-internet routable IP addresses (addresses that can’t be used to access the internet directly, as
4 A Teredo relay is a server that assists in the transmission of IPv6 packets between Teredo clients located behind network address translators (NATs) and IPv6 hosts on the
internet.
White Paper
defined in RFC1918) and sending them through a routable IP address.

This is often seen in residential networks, such as a home network,
where there are multiple computers or devices behind a home router.
Sometimes large organizations leverage NAT to potentially group devices
behind a single IP address (however, this isn’t a recommended practice
due to limitations in both how NAT works and underlying hardware).
NAT was created as a stop-gap solution to the depleting IPv4 address

space as, prior to IPv6, there weren’t enough public IP addresses to NAT has become a popular and
assign to every device on the internet. Additionally, NAT provides essential tool in conserving the
an additional layer of security by obscuring or hiding the private
IP addresses of devices on the local area network (LAN) from the global address space in the face of
internet, which could help to prevent cyber attacks. IPv4 address exhaustion. One public
One of the problems with NAT is that it can make it difficult to establish or Internet-routable IP address of
connections between devices on the internet and devices on a LAN, a NAT gateway can be used for
as those on the LAN do not have public IP addresses that can be an entire private network. NAT’ing
used to initiate connections from the internet. To overcome this
problem, techniques such as port forwarding or Universal Plug and does not restrict the geolocation
Play (UPnP) have been deployed to establish inbound connections to of devices. It will however, show
specific devices on the LAN. These techniques allow devices in private multiple devices behind the same
networks to connect over the internet with other public or
IP address, and potentially a larger
private devices.
area allocated to those devices. This
is part of the reason why we created
NAT vs Carrier Grade NAT (CGNAT) IP Characteristics product (IPC). IPC
Carrier Grade Network Address Translation (CGNAT) is a type of NAT gives customers the ability to better
that allows multiple customers to share a single public IP address, and understand the metadata of an IP
is often useful for ISPs in certain circumstances. Instead of just one
network behind one IP address, CGNAT creates another layer, hiding all address connection, like activity
the homes and businesses behind it, creating a double NAT. based on the number of devices
connected to that IP address, or
CGNAT came into existence in 2009 with help of the internet
Engineering Task Force (IETF). CGNAT allows ISPs to preserve their the range in distance where the
own public IPv4 addresses, process subscriber traffic through the ISP’s IP address has been observed.
private IPv4 network, as well as support business subscribers that
Customers will soon be able to see
also have their own private IPv4 networks with multiple devices across
multiple locations. if certain IP addresses are classified
as being NAT’ed in our product
CGNAT was also seen as a stop-gap solution to help with the transition
from IPv4 to IPv6, in that it allows enterprise ISPs to provide IPv4 offering.
addresses to smaller networks which might have issues with
the transition.
Though originally deployed as a stop-gap, this approach turned into

a more permanent solution for some ISPs, as it means they have no
need to upgrade their networks. The downside is that CGNAT caused
a new set of issues, including “double NATs” - i.e. two layers of internal
address space, which breaks some core internet functions and slows
down network traffic.
White Paper
There are some issues with CGNAT, however. One is that it can disrupt port forwarding, preventing incoming traffic
from reaching devices on the private network. This problem can affect VPN users who may need to use port forwarding
to access certain services or applications. CGNAT can also prevent people who want to connect internet-accessible
devices (e.g. security cameras and other IoT devices) that are not internet routable, meaning they do not have public IPs
associated with them.
Another issue: hundreds or tens of end users are now seen lumped together as one IP address, which can result in
a serious headache if that IP address is blocked for whatever reason. Precise geolocation is extremely difficult with
CGNAT. However it helps our customers tremendously when we are able to provide the context that it is CGNAT. IPC
again provides context around these types of network implementations so that businesses can avoid major issues with
customers. Within IPC, customers can also understand if the range of distance that the IP address has, falls within a few
miles. If this range is generally limited or “tight”, then it is likely that multiple devices reporting this same IP address are all
behind a CGNAT assigned to them by their ISP.
White Paper
Chapter Summary
This chapter examines the history of IP geolocation data, which traces its roots back to 1973 with the design of the
Transmission Control Protocol (TCP). Subsequently, IP addresses were integrated into the TCP protocol, facilitating
seamless data sharing among computers. The allocation of IP addresses falls under the purview of the internet Assigned
Numbers Authority (IANA), which assigns them to regional registries responsible for distribution to Internet Service
Providers (ISPs).
The evolution of IP addresses led to the development of IPv4, which proved effective but encountered limitations due to
an impending shortage of addresses, exacerbated by the rise of mobile technology and the Internet of Things. Concerns
about this scarcity prompted the Internet Society to create IPv6, boasting an exponentially larger address space. The
adoption of IPv6 by individual ISPs is contingent upon various business considerations.
To address the dwindling pool of IPv4 addresses, Network Address Translation (NAT) and Carrier Grade NAT (CGNAT)
techniques were developed. These methods enable devices with private IP addresses to communicate with the public
internet, conserving IPv4 addresses. NAT enhances security and address conservation, while CGNAT allows multiple
customers to share a single public IP address. However, both techniques can introduce challenges related to connectivity
and precise geolocation.
Understanding the characteristics of IP addresses, including CGNAT and network implementation, can assist businesses
in navigating potential challenges.
The next chapter will look at IP address geolocation reliability and vulnerabilities.
White Paper
3. IP Address Geolocation Reliability and Vulnerabilities

We said earlier in the paper that IP addresses themselves don’t have any useful context, but that companies like Digital
Element can apply their understanding of the IP space to glean nuances and context. We refer to this process as
“resolving” IP addresses. When we say we resolve an IP address, we are essentially saying that based on our insight and
data, we can predict that these characteristics are true about a specific IP address. Our products offer accurate location
at the most granular level, down to the zip+4 (US) or Postal code (various countries).
IP address geolocation accuracy drops drastically as granularity of location increases for most providers. The key reason
for this is that it requires scale to accurately capture IP addresses to the right geolocations every day. Most providers in
the industry are able to reach the following levels of accuracy.
Country Region City
95% - 99% 55% - 88% 50% - 75%
Figure 2: Accuracy by Granularity
While this level of accuracy is acceptable to satisfy a consumer’s curiosity, it isn’t nearly accurate enough for businesses
and organizations that must rely on it for a broad array of applications, including localizing content, verifying advertising
spend, preventing click fraud, ensuring compliance and rights enforcement, assessing threats, and more.
White Paper
Digital Element’s Growth vs Market Evolution
The IP space is a place that is marked by continuous evolution, which means any company that works in the
industry must evolve along with it. Digital Element is no exception. The company has experienced three distinct
phases in refining its IP address data, described below. Why explain the history of Digital Element’s phases? These
evolutions provide important insights for security teams and measurement providers that need to compare IP
data providers. A proper comparison requires knowledge of where and how the data is derived.
Phase 1:
Digital Element was launched in 1999 to help businesses answer a specific question: “How can we help website
owners gain insight into their visitors?” Digital Element realized that by identifying the geolocation data of an
IP address with a high degree of accuracy, website owners could gain a better understanding of their visitors.
Therefore, in the first-phase of offering its service, Digital Element’s goal was to identify the user’s geolocation
down to the city level. To do that, we began by developing proprietary and patented methodology that utilized
publicly available data sources, described in the table below.
These data sources allowed Digital Element to achieve high accuracy at the country level, moderate accuracy at
the region level, but a poor level of accuracy at the city/postal code level.
Whois Registry Data (now ICANN Lookup) Provides current registration data for domain names and internet number resources.
TraceRoute Analysis Displays the path that the signal took as it traveled around the internet to a website. It
also displays times which are the response times that occurred at each stop along the
route5.
Reverse DNS Mining A querying technique done on the DNS (Domain Name Server) side. It determines the
hostname based on a given IP address.
Digital advertising was the primary use case for IP geolocation data during this phase. This data helped
publishers ensure that ads were seen in the appropriate region and in the local language.
5 https://resrequest.helpspot.com/index.php?pg=kb.page&id=437#:~:text=A%20traceroute%20displays%20the%20path,show%20up%20in%20these%20times.
White Paper
Phase 2:
Continuing to expand its global reach, Digital Element introduced NetAcuity Edge, the first validated, global,
partner-contributed geographic ZIP code- and postcode-level data. This non-cookie-based dataset would provide
marketers around the world with a highly accurate hyperlocal IP geotargeting solution. This phase, launched in
2009, incorporated additional datasets:
ϐ User Supplied Data - data from users who opt to share the city or postal code of their IP address. Note,
users don’t share their personal data, and Digital Element neither collects nor stores any PII data.
ϐ Provider Data - data provided by the ISPs that assign the IP addresses to the end users, or large
corporations with thousands of employees.
This data allowed Digital Element to achieve higher levels of country/region level accuracy, as well as moderate
city/postal code level accuracy. The use cases during this phase expanded to ecommerce for localization, and
analytics, as well as better online advertising capability.
Phase 3:
With the mobile marketplace set to explode, Digital Element introduced NetAcuity Pulse in 2016. The industry’s
first mobile-centric IP targeting solution, this addition brought new levels of device intelligence to help marketers
reach an increasingly growing base of Wi-Fi users and fill the mobile gap. To achieve high accuracy at all levels
of granularity (country, region, city, ZIP/postal code), we incorporated device-derived data (D3), which is data
collected from mobile apps with a location use case and consent. This data includes elements such as IP
address, time stamp, latitude, longitude, and device ID.
All data Digital Element receives is aggregated in order to comply with existing and emerging privacy regulations.
Digital Element only partners with app publishers that have processes in place to ask users for permission to
share their location data, and receive permission to do so.
This latest phase expanded the category of companies that can benefit from IP address geolocation data. Any
company, for any reason, can leverage Digital Element’s D3 data to better understand anonymous traffic better.
Today, cyber security, advertising, and analytics companies combine our IP address geolocation data with their
own data to achieve a variety of business objectives.
White Paper
Limitations of IP Address Geolocation Data

There are some limitations of IP geolocation data, which stem from two issues:
Proxies. If the IP address is tied to a proxy, accurate geolocation is not possible at any level of granularity. The best that
can be achieved from a geolocation standpoint is accurate country level, accuracy of the device or machine (physical or
virtual) hosting the Proxy IP.
Now that proxies and VPNs have become more popular and easy to use in today’s market, Digital Element has introduced
additional datasets to help identify proxy, VPN and darknet traffic. More on that in the VPN section.
Mobile and Satellite Connectivity. Country is the only level of granularity that can be ascertained with a high degree of
accuracy with mobile and satellite connectivity. The vast majority of mobile carriers (995) allocate their IPs to thousands of
end users in hundreds of different locations within a region (e.g. the New York, New Jersey, Connecticut area). Therefore, it
is difficult to provide a high level of accuracy at the region,city,ZIP/postal code level.
Distinguishing Between Fixed and Mobile IP Addresses

In the opening of this paper, we described fixed vs. mobile IP addresses, noting that fixed IP addresses can be static or
dynamic, whereas mobile IP addresses are always dynamic, never static.
Knowing the ISP of an IP address itself can provide insight into the geolocation of the IP address, as well as its type (i.e.
fixed or mobile). There are four types of ISPs:
1. Fixed ISP, such as Comcast and Charter. These ISPs provide internet connectivity to both homes and commercial
entities. Some business, educational institutions and governments can act as their own fixed ISP. Some ISPs also
provide WiFi hotspot connectivity.
2. Mobile and fixed ISPs, such as AT&T. These ISPs provide connectivity to homes, and businesses, as well as users
on the go.
3. Mobile-Only ISPs, such as Cricket Wireless. These ISPs provide connectivity for mobile devices only.
4. Mobile connectivity for homes and businesses, such as T-Mobile and other 5G providers.
In general, IP traffic that comes from mobile carriers should be processed along with IP traffic from ISPs, and never
avoided, as there is still an active end user from an actual geolocation coming from that mobile IP.
However, due to the non-fixed, dynamic nature of mobile connectivity, mobile carrier traffic should not be treated with the
same level of credence as a fixed IP address, as it is less accurate than non mobile-carrier traffic.
White Paper
What Role Does Internet Routing Play in Geolocation?

Internet routing is the process of directing internet traffic between different networks to reach their intended destination.
The border gateway protocol (BGP) is the most commonly used protocol for exchanging routing information between
different autonomous systems (ASes), which are groups of networks managed by a single entity. An autonomous system
number (ASN) is a unique number assigned to each AS, and is used to identify and differentiate them from one another.
BGP and ASN play a significant role in shaping geographic areas within the digital world. ASes are often organized by
geographic location, with each AS managing networks in a particular region. This allows data to be routed more efficiently
and quickly within a specific area. For example, if a user in New York City wants to access a website hosted in Los
Angeles, their data may travel through a network managed by an AS in New York, then another network managed by an AS
in California. This process can be more efficient than sending the data directly from New York to Los Angeles.
Vulnerabilities Caused by BGP Routing
Unfortunately, while BGP is a critical part of the internet, it is also an inherently insecure protocol. As a result, it can be
exploited by malicious actors for a variety of nefarious purposes.
One of the primary issues with BGP is that it lacks authentication, which means it can be manipulated easily. For instance,
criminals can use BGP hijacking to redirect internet traffic, allowing them to intercept or modify data as it is sent between
two networks. This type of attack can be used to disrupt services, steal information, or perform man-in-the-middle attacks.
Additionally, malicious actors can use BGP to spoof the location of networks. This allows them to make it appear as
though they are located in a different country or region, which in turn can make it difficult to track them down. Countries
such as Russia and China have been accused of abusing BGP hijacking to spy on their citizens, as well as to launch
attacks against other countries.
A few examples of recent large incidents:
ϐ April 2021: Large BGP routing leak out of India: over 30,000 BGP prefixes6 hijacked via Vodafone Idea Ltd
(AS55410) causing 13X spike in inbound traffic. Prefixes were from around the globe but mostly US including
Google, Microsoft, Akamai, and Cloudflare.
ϐ February 2021: Initially reported that Cablevision Mexico (AS28548) leaked 282 prefixes creating conflicts for 763
ASNs in 80 countries, with the main impact in Mexico. Data from the Isolario MRT dump suggested that 7,200 IPv4
prefixes were announced and leaked to AS1874 impacting more than 1290 ASNs from over 100 countries.
ϐ June 2019: A large amount of European mobile traffic was rerouted through China Telecom (AS4134) This began
with a route leak SafeHost (Swiss) (AS21217) announced more than forty-thousand IPv4 routes that had been
learned from other peers and providers to its provider China Telecom (AS4134). China Telecom accepted these
routes and propagated them.
BGP routing vulnerabilities will likely remain. There is no immediate solution available, but it is an area of vulnerability
within the connective tissue of the internet. Therefore, cybersecurity companies are advised to look up ASNs to see
anomalies when evaluating large sets of internet traffic data.
6 A prefix refers to a block of IP addresses that are announced by a BGP router to other routers on the internet. The prefix includes a network address and a prefix length,
which specifies the number of bits in the IP address that are used to identify the network.
White Paper
Chapter Summary
The first part of Chapter 3 examines Digital Element’s evolution in the IP geolocation address space. Digital Element offers
IP address resolution, providing valuable context for IP addresses. By resolving an IP address, Digital Element can predict
various characteristics based on rich insights and data, including precise location down to the zip+4 or postal code level.
This chapter acknowledges that IP geolocation data has certain limitations and vulnerabilities. Limitations arise from
proxies, making accurate geolocation challenging at a granular level. Additionally, mobile and satellite connections only
allow accurate identification of countries, as mobile carriers allocate their IPs to thousands of end users in numerous
locations within a region.
Vulnerabilities in IP geolocation data stem from internet routing, with the most common issue being the Border Gateway
Protocol (BGP). BGP vulnerabilities primarily result from a lack of authentication, rendering it susceptible to exploitation.
Given the absence of immediate solutions to address these vulnerabilities, cybersecurity companies are advised to
reference Autonomous System Numbers (ASNs), unique numbers assigned to each automated system, to identify
anomalies when evaluating large sets of internet traffic data.
The next chapter will delve into the allocation of IP addresses.
White Paper
4. How IP Addresses are Allocated
IP Address Allocation to Global Regions

As mentioned in the previous section, the Internet Assigned Numbers Authority (IANA) has primary responsibility for
assigning unallocated pools of IP addresses to each region of the world.
IP Address Allocation to ISPs & Larger Companies

IANA will also allocate large IP blocks to both ISPs and larger companies. Their IP space will never overlap with one
another. Here are examples of how ARIN, the Regional Internet Registry for the US, Canada and the Caribbean, has
allocated large IP blocks (covering hundreds of thousands of IPs) to the ISP Comcast and the Company Microsoft:
24.0.0.0 - 24.255.255.255
Source Country Region City Speed Zip Code Org Netname
ARIN usa va centreville ? 20120 american registry for internet numbers llc net24
HI-FIX ? ? ? ? ? american registry for internet numbers llc net24
24.0.0.0 - 24.255.255.255
ARIN usa nj mount laurel cable 08054 comcast cable communications llc easternshore-1
WONE usa nj mount laurel ? 08054 comcast cable communications inc. easternshore-1
HI-FIX ? ? ? ? ? comcast cable communications inc. easternshore-1
4.0.0.0 - 4.255.255.255
ARIN usa va centreville ? 20120 american registry for internet numbers llc net24
HI-FIX ? ? ? ? ? comcast cable communications inc. net24
White Paper
4.0.0.0 - 4.255.255.255
ARIN usa wa redmond ? 98052 microsoft corporation msft
HI-FIX ? ? ? ? ? microsoft corporation msft
How ISPs Assign IP Addresses

ISPs have their own method for assigning IP addresses. Some utilize regional allocations, meaning an IP block is
allocated to end users within a single region.
Here is an example from Charter Communications (DBA Spectrum) from our NetAcuity Pulse database, the industry’s first
mobile-centric, IP-targeting database.
Pulse Responses
Start IP End IP Geo Postal Conn Speed Conn Type
24.56.64.90 24.56.64.15 usa oh lima 45805 broadband wifi
24.56.64.16 24.56.64.23 usa oh clyde 43410 broadband wired
24.56.64.56 24.56.64.63 usa oh bluffton 45817 broadband wired
24.56.64.96 24.56.64.103 usa oh bowling green 43402 broadband wifi
24.56.64.104 24.56.64.111 usa oh elyria 44035 broadband wired
24.56.64.112 24.56.64.127 usa oh bowling green 43402 broadband wifi
24.56.64.184 24.56.64.191 usa oh columbus 43227 broadband wired
24.56.64.192 24.56.64.215 usa oh ada 45810 broadband wifi
24.56.64.216 24.56.64.223 usa oh arcadia 44804 broadband wired
White Paper
24.56.64.224 24.56.64.239 usa oh ada 45810 broadband wifi
24.56.64.240 24.56.64.243 usa oh mansfield 44903 broadband wired
24.56.64.244 24.56.64.255 usa oh galena 43021 broadband wifi
Why is it useful to know which ISPs opt to allocate a block of IP addresses to users in a single region? This approach
to allocation will have a high degree of IP address stability, as we will discuss below. IP address stability becomes an
important insight for many use cases, including digital advertising. Let’s say a marketer wants to launch an ad campaign
in which the users see a series of sequential messaging. Such a scenario is only possible if the IP address is highly stable,
otherwise one can’t assume that the advertiser is targeting the same device (or audience).
Other ISPs can assign a similar IP block to end users across multiple regions. Here is an example from Sky Broadcasting:
51.146.25.0 51.146.25.23 gbr gat marley hill ne16 5dw broadband wifi
51.146.25.24 51.146.25.31 gbr nbl blyth ne24 4gf broadband wifi
51.146.25.32 51.146.25.47 gbr net newcastle upon tyne ne6 4xl broadband wifi
51.146.25.48 51.146.25.63 gbr dur haswell dh6 2af broadband wifi
51.146.25.64 51.146.25.78 gbr nty wallsend ne28 9hd broadband wifi
51.146.25.79 51.146.25.79 gbr nty whitley bay ne26 2ah broadband wifi
51.146.25.80 51.146.25.87 gbr gat marley hill ne16 5az broadband wifi
51.146.25.88 51.146.25.95 gbr sty hebburn ne31 1xq broadband wifi
51.146.25.96 51.146.25.100 gbr snd hetton-le-hole dh5 9ll broadband wifi
51.146.25.101 51.146.25.111 gbr nbl blyth ne24 4lw broadband wifi
51.146.25.112 51.146.25.127 gbr nty newcastle upon tyne ne12 8ds broadband wifi
51.146.25.128 51.146.25.143 gbr dur murton sr7 9jt broadband wifi
51.146.25.144 51.146.25.155 gbr sty south shields ne34 8ad broadband wifi
51.146.25.156 51.146.25.159 gbr gat whickham n316 5jr broadband wifi
White Paper
51.146.25.160 51.146.25.175 gbr nty whitley bay ne26 1hz broadband wifi
51.146.25.176 51.146.25.191 gbr dur murton sr7 9g broadband wifi
51.146.25.192 51.146.25.223 gbr nty newcastle upon tyne ne12 9be broadband wifi
51.146.25.224 51.146.25.235 gbr sty north shields ne29 6be broadband wifi
51.146.25.236 51.146.25.239 gbr sty south shields ne33 1tt broadband wifi
51.146.25.240 51.146.25.255 gbr nbl blyth ne24 3ur broadband wifi
Static vs Dynamic IP Addresses

When we observe an IP address, we also observe a location that is associated with it (this goes back to our earlier
discussion of country/region/city accuracy). However, if you live in a single family home in certain parts of the world and
have a large ISP provider for your internet connection, chances are that your IP address has not changed in months, if not
years. So what gives? Why are some IP addresses stable while others are volatile?
IP address volatility refers to the change in a device’s IP address over time. Dynamic Host Configuration Protocol (DHCP)
is a client/server protocol that automatically provides an IP host, such as a home router, with its IP address and other
related configuration information.
Generally speaking, DHCP (Dynamic Host Configuration Protocol) IP addresses are not inherently stable in a specific
location, as they can change due to a variety of factors. These types of IP addresses are commonly found in residential
networks, where factors such as lease duration, network reconfiguration, or device disconnection and reconnection can
influence their stability.
The length of time an IP address remains stable to an organization can vary, from 24 hours to a year or more, depending
on the type of IP address being used. In general, static IP addresses remain stable for longer than dynamic IP addresses.
Digital Element’s IP Characteristics (or IPC) solution enables clients to determine the stability of IP addresses to a location
over time. The IPC section below provides sample statistics on IP address stability.
Static IP addresses can be categorized as having very long-term stability, as they remain in the same geolocation for more
than a year, whereas dynamic IP addresses fall under short-term stability since their geolocation changes quite frequently
(e.g., within a few weeks).
Measuring the geolocation stability of IP addresses can be helpful for cyber security and digital advertising use cases. For
cyber security, knowing how long an IP address has been at a given location can provide valuable context for security or
authentication logic. In digital advertising, understanding the stability of an IP address can help marketers apply granular
rules to their campaigns, such as targeting audiences with highly stable IP addresses with sequential messaging that
takes them on a journey, while targeting audiences with dynamic IP addresses with more general campaigns.
White Paper
IP Address Stability by - Country
Telefonica de Espana - Spain
Digital Element’s IPC solution was

Orange Espana - Spain
used to evaluate IP addresses and
ISP carriers across several countries
NTT Docomo - Japan
to help determine the stability of
the IP addresses. For this study,
the stability data were grouped into KDDI Corporation - Japan
various categories based

on longevity. Vodafone - Germany
Deutsche Telekom- Germany
Far Eastone - Taiwan
Chunghwa Telecom - Taiwan
Comcast Cable - USA
Charter Communications- USA
Stability Bucket No. of Weeks Stable
No Stability 0
Very Short Term 1-4 (1 month)
Short Term 5-16 (4 months)
Medium Term 17-36 (9 months)
Long Term 37-52 (12 months)
Very Long Term 53+ (Over 1 year)
Image 3: IP Address Stability by - Country
White Paper
As mentioned at the start of this section, the ISPs in a given country drive the majority of the allocations of IP addresses.
Therefore, their methodology for allocations generally will also drive the stability of the IP address in that region.
Each ISP’s methodology for assigning IP addresses may be determined by various factors, such as population density,
cultural context regarding how often do people move within that region, or how often they replace their internet hardware,
etc. As you can see above in Figure 1, different carriers in different countries have varied impacts. Taiwanese ISPs, for
example, create almost no long-term stability, while the Spanish ISPs have the most stable IP addresses for their
given block.
Next, we can gain an even clearer picture of IP addresses by aggregating this data into two categories: stable and
unstable. An IP address is considered stable if it has remained at the same location for five weeks or more.
Unstable vs. Stable IP addresses by ISP - Country
Telefonica de Espana - Spain Deutsche Telekom- Germany
Orange Espana - Spain Far Eastone - Taiwan
NTT Docomo - Japan Chunghwa Telecom - Taiwan
KDDI Corporation - Japan Comcast Cable - USA
Vodafone - Germany Charter Communications- USA
Unstable Stable
Image 4: Unstable vs. Stable IP addresses by ISP - Country
The stability of an IP address is a helpful context for cyber security teams tasked with keeping their corporate data and
network safe. Moreover, the factors that help drive the measurement of stability are also important for cybersecurity
companies. Digital Element’s IP Characteristics (IPC) database leverages various deterministic data to establish
stability, including:
The number of devices seen that were connected to that IP address over the observed time period
Number of observations with a GPS signal that were received that identified the location and the IP address
Number of locations (postal code, city, region, country) in which the same IP address was observed, as well as the last time
it was observed.
White Paper
IP Characteristics (IPC)
IP Characteristics is Digital Element’s dataset solution that provides additional insights and context about the
recent trend or behavior of specific IP addresses. It uses mobile device derived data (D3) to highlight an IP’s
characteristics, such as activity, geo-location (latitude/longitude), range, and persistence.
Why is the IPC dataset vital in many use cases?
While the aggregated data by carrier and country are helpful contextual indicators, they should not be used to
build logic decisions at the IP address level. The key characteristics of the IP address itself should be used to
make determinations for cybersecurity, digital advertising, or analytics purposes. See the five examples below.
White Paper
Example 1 Example 2 Example 3 Example 4 Example 5
IP: 142.54.30.80 108.48.147.197 183.82.204.172 107.242.121.41 104.37.31.45
Observations: 602 1028 995 889,218 1,226,119
Device IDs: 1 8 20 5,107 3,670
Country: 1 1 1 1 9
Region: 1 1 1 28 44
City: 1 1 8 884 199
Postal Code: 1 1 28 1323 240
Avg Distance: 0 0 6 -1 -1
Max Distance: 0 0 18 -1 -1
Standard Deviation: 0 0 7 -1 -1
Last Seen: 10/8/2022 10/8/2022 10/11/2022 10/9/2022 10/10/2022
Weeks Stable: 46 7 0 0 0
Key Takeaways: Example 1 is a stable IP address based on one geolocation observed over 600 times over 46 weeks. This IP
address would likely be considered safe by all measures by a cybersecurity firm.
Key Takeaways: Example 2 is also a stable IP address even though it was only stable for 7 weeks. We see that there were over 8
devices from the same geolocation, making it likely it is a household with multiple computers and mobile devices.
Key Takeaways: Example 3 provides intelligence that this IP address is stable when considering the macro geographic location,
but is unstable when looking at the city and postal code level, since it has over 20 devices connecting to it. Even though this IP
address is considered unstable, it is likely safe due to the fact that the average and maximum distance between all the postal
codes is small. This fact indicates that this IP address is likely a regional NAT. It is likely in a rural area where there are not enough
IP addresses allocated there (unstable dynamic one).
Key Takeaways: Example 4 (mobile activity) and Example 5 (proxy activity) are clearly proxy IP addresses given the number of
observations and devices connected to them being extremely high. However, the key difference is that Example 4 could be a
corporate proxy IP address (relatively less malicious) given that it stays within the same country.
Key Takeaways: Example 5 has been seen in 9 countries. This IP address is clearly one that should be blocked when considering
access to secure content.
Figure 5: IP Address characteristics examples
White Paper
Chapter Summary
This chapter opened with a look at how IP addresses are assigned. The IANA assigns IP addresses to global regions,
including large IP blocks to ISPs, and large corporations. Some ISPs opt to allocate IP addresses to users within a single
region for higher stability, while others assign them across multiple regions.
The stability of an IP address varies between static (long-term) and dynamic (short-term) addresses. Understanding IP
address stability is useful for purposes for cybersecurity and digital advertising, as it provides context for establishing
best practices.
Digital Element’s IP Characteristics (IPC) dataset used mobile device derived data (D3) to provide insights and context
regarding specific IP addresses, including activity, geo-location, range, and persistence.
The next chapter explores the VPN market and its impact on the challenges facing cybersecurity teams.
White Paper
5. VPN Market
Evolution of the VPN Market Over the Last 20 Years

Virtual Private Network (VPN) usage has grown exponentially over the past few years. Twenty years ago, a majority of
VPN users were corporate VPNs. If a private VPN or a commercial VPN outside of the corporate VPNs were used back
then, it was by a sophisticated actor who knew how to set up a VPN, or knew how to use VPNs for obfuscation purposes.
Today, the VPN market has matured tremendously, with improved user experience and onboarding of the unsophisticated
user without friction.
Advances in larger bandwidth of data over the internet and streaming media were one of the key reasons for the growth in
usage of VPNs. This created a market for people who want the ability to access video content over the internet in regions
outside of their own country; VPNs allow consumers to circumvent geo-based restrictions. Driven by the pandemic and
lockdown orders, consumers globally signed up for a VPN service in order to access content that was otherwise off limits
to them.
These use cases helped mature the VPN market place. Today, some 1.6 billion people — about 31% of the world’s internet
users — rely on a VPN to surf the web and access apps anonymously. That enormous pool of users is an irresistible draw
for entrepreneurs, consumers, and nefarious actors who see an opportunity to cash in on the trend.
There are hundreds of VPN services (though most are owned by the same subset of parent companies). Obviously, a great
deal of VPN usage is benign, but not all of it is. For instance, the credentials of 21 million VPN users were stolen from just
three VPN apps — SuperVPN, GeckoVPN, and ChatVPN — and are now up for sale on the dark web.
Maturity of the VPN Market

To grow in a maturing marketplace, VPN providers have also differentiated themselves with various features to enable
different types of obfuscation for anonymity. These features range from simple privacy-focused features and DRM
circumvention, to highly sophisticated features the average user isn’t likely to use. The latter were built and are meant for
people with a high interest in evading detection.
Security and compliance teams need a nuanced understanding of the VPN market so that they can make smart decisions
about which VPN traffic to allow, which to investigate, and which to ban altogether. To make those distinctions, however,
teams need context and insight. VPN intelligence data is essential. But not all VPN data is equally valuable; critical
differences exist, and those differences can spell the difference between a hack that is cauterized quickly, and one that
makes national headlines.
Digital Element’s Nodify threat intelligence solution helps to capture the various features offered by VPN
providers. This insight allows users to distinguish between the benign VPNs and more sophisticated ones that a
nefarious actor could use. In the Table below, we’ve noted the various VPN features that Nodify is able to identify.
White Paper
Feature Description Why it Matters
Torrenting Allowed Allows for the use of torrenting. Torrenting is the Torrenting is often used for online piracy. It is
process of downloading files from other torrent important to know the copyright laws of a country
servers across the internet. and abide by them.
No Torrenting Allowed Does not allow the use of torrenting. A provider which states this will cancel accounts or
block torrenting in general to combat online piracy.
Logging Policy Provider states they log user data or traffic on Logging is used to monitor what the users are
their infrastructure doing on the network. It can be subpoenaed by law
enforcement to help capture criminals.
No Logging Policy Provider states they do not log user data or traffic on These providers allow their users to perform any
their infrastructure. activity criminal or not.
Smart DNS Uses Domain Naming System (DNS) resolution in a This allows a special kind of bypass for only DNS
specific country to bypass restrictions. traffic. This is often seen for use circumventing
restrictions on digital media.
Streaming Unblocking Offers the ability to bypass streaming This advertises that the provider sells services in
media restrictions. attempt to purposely circumvent digital
media restrictions.
Unlimited Bandwidth Does not restrict the amount of data a user may use Users are able to leverage this for as much traffic as
across their network. they desire which would prevent the end site from
knowing the true origin of the user entirely.
Affiliate Program Provider offers an incentive program to bring Providers incentivize people to advertise their
additional users to them. service. They pay them money to say they are the
“best” solution out there without having them
on staff.
API Offers an application programmable interface for This allows users to be able to write code against
developing programs or to allow programming. their platform which can be potentially abused
by bots.
P2P Infrastructure This is a peer-to-peer based network infrastructure. The IP addresses within these types of networks
can be residential users, which makes them
potentially riskier as there are reduced policies and
enforcement of bad behavior.
Exit Node Selection Allows for the user to select their exit point. This This allows for the user to select a specific location
could be a specific country, city, or server. to disguise themselves as. A user will use these to
circumvent geo restrictions.
Kill Switch User will lose internet access in the case of the If the user’s VPN or proxy is broken, this will prevent
tunnel breaking, ensuring no data leakage. the user from being able to connect to the internet.
This is used by people who are ensuring their
original IP address is not decloaked.
White Paper
Residential IP Addresses Offers residential IP address space. These are IP This is used for providers which want to look as
addresses on a suspected anonymizing network unique and human-like as possible.
that are registered under residential ISPs (does not
include peer-to-peer proxy IPs).
Private Relay Privacy focused VPN. It does not allow for the user Though this is a privacy focused service, the traffic
to select their exit point. is often not logged and is prone to abuse. It might
not allow a user to circumvent geo restrictions but
could allow for fraud.
Multihop Allows for double, or multiple hops for traversing These providers offer built in hops to obscure the
the network. users origin and exit to add in privacy.
Dedicated Nodes Offers dedicated IP address space or exit systems Users will pay more to obtain their own IP address
for a user. which no other users on the provider may use. It is
often used to prevent abuse complaints. This can
sometimes be used for a business.
Warrant Canary A warrant canary is a method by which a This is important for privacy minded individuals who
communications service provider aims to inform want to know if the provider has had an encounter
its users that the provider has been served with a with law enforcement. These users may stop using
government subpoena despite legal prohibitions on the service temporarily if the warrant canary
revealing the existence of the subpoena. is triggered.
Tor Access Has the ability to access the Darknet Tor. This gives the users the ability to access the Tor
network from within the VPN or proxy. This adds
another level of risk as all traffic is allowed
through Tor.
Published Nodes Provider lists their nodes publicly. These providers have their entrance or exits
published for companies to see. This is often benign
but could help companies with blocking outright.
Paid A paid service offering This shows a service which is focused on the
business side of ensuring higher quality for the
users. They usually have more offerings than
free services.
Free A free service which can be used at no cost to These are sometimes advertising driven or the
the user user’s traffic is sold to make money in other ways.
Depending on the provider, the application itself
could even be malicious.
Bulletproof Hosting Bulletproof hosting (BPH) is infrastructure service This is among the highest risk offerings. A BPH
provided by a web hosting provider that is resilient provider allows anything, including botnets, to be
to complaints of illicit activities. operated from their network.
Known Malicious This provider is known to be hosting malicious These providers are known to be operating
infrastructure. malicious activities which could include DDoS,
ransomware, credential stuffing attacks, or operating
from infected machines.
White Paper
Education This provider belongs to an Education Facility. Though a benign feature, education providers
sometimes are more lax in their security posture.
Corporate Provider offers Company or Corporation access A corporate VPN which could make it look like a
for businesses. user is coming out of hosting space or
cloud infrastructure.
Scam A scam service trying to defraud users out of money These providers are known to steal money.
Tor Exit Nodes These are IP addresses where traffic from users of Tor allows for all types of activity to traverse its
Tor will appear to originate from. The Tor Project network. This is among risky traffic for business
is an open network used by those who wish to sensitive applications.
maintain anonymity.
Hosting Providers/Data Centers These are IP addresses associated with hosting Traffic seen from these are often not human and are
services that are likely to be used as anonymizers. related to bots. Humans do not live in data centers.
This anonymizer type also includes both registered
and non-registered anonymizing VPN services.
Public Proxies These are proxies that are available for free and Anyone or any bot can use these services and abuse
publicly posted. them. They allow any kind of traffic, malicious or
not. These have been seen abused by DDoS botnets.
These VPN features help illustrate the maturity of the VPN market. While no one VPN provider offers all of these features,
there are several that offer a combination of them.
White Paper
Circumvented IP
For example, 41% of the VPNs tracked offer features such as Unlimited Bandwidth. This feature is primarily used by users
who wish to circumvent streaming media’s geo restrictions.
ENTRY
FRANCE
DOUBLE VPN EXIT
UNITED STATES
REGIONALY
LOCKED VIDEO
CONTENT
ENTRY/EXIT
SINGLE VPN UNITED STATES
Figure 6 : Circumvented IP
Credential Stuffing Attack
Features such as multi-hop7, kill switch8, and peer-to-peer (P2P)9 infrastructure, ostensibly promote user privacy, but an
actor who wishes to hack into accounts with credential stuffing will find these features helpful when trying credentials
with multiple IP addresses.
INTERNET
PROXY
MY BANK
GOOD USERNAME
STOLEN CREDENTIALS PASSWORD
USERNAME
PASSWORD PROXY
EMAIL
Figure 7: Credential Stuffing Attack
7 A multi-hop VPN is one that adds an extra layer of encryption and an additional server to the normal VPN connection by “chaining” or “cascading” two or more VPN servers
together. The purpose is to boost the security and privacy provided by a standard, single-server VPN.
8 A kill switch ensures that a device won’t revert to its default internet connection if the VPN connection suddenly drops.
9 A P2P VPN allows for the transfer of data from many sources, which provides faster and more efficient downloads. It works by creating a secure and encrypted tunnel that
connects a device to a server.
White Paper
VPNs on a Spectrum of Benign to Malicious

Not all VPN providers offer services that are friendly to nefarious players. The maturation of the VPN market has created
a spectrum of benign to sophisticated VPNs. For example, both Google and Apple offer a built-in VPN service with their
paid subscription offerings. These generally have simpler logging policies and publish the IP address ranges they use for
their services. Many users may not consider the implications of using this VPN when it’s turned on. On the opposite end
of the spectrum, there are VPNs that offer specific features, such as bulletproof hosting. Bulletproof hosting is a type of
web hosting service that allows users to host any type of content, including illegal or malicious material, with little to no
oversight or regulation. These types of hosting companies tend to originate from US-sanctioned countries.
Given the number of people across the globe who now use a VPN, it isn’t practical to block all traffic stemming from one.
Therefore, security teams need a way to decipher the potential for a VPN to support nefarious actors through features that
are friendly to their activities.
VPN Feature vs. Potential Risk
Corporate
Dead
Private Relay
Logging Policy
No Torrenting Allowed
Five Eyes Country
Dedicated Nodes
Education
KYC
White Label
Publishing Nodes
Affiliate Program
Paid
No Country
API
VPN
Unlimited Bandwidth
Under 10 hosts
Free
Active
Unknown Country
Proxy
Kill Switch
Minimum Logging Policy
Smart DNS
Streaming Unblocking
Between 10-100 Hosts
Hosting
Residential
Between 100-1k Hosts
Warrant Canary
P2P Infrastructure
Over 2 Providers
Accepts Gift Cards
Accepts Digital Currency
Torrenting Allowed
Tor Access
No Logging Policy
Multihop
Residential IP Addresses
Over 10k Hosts
Exit Node Selection
IP Address from Sanctioned Country

Darknet
Provider Exists in a Sanctioned Country
Known Malicious
Bulletproof Hosting
Low High
Figure 8: VPN Features vs Potential Risk
White Paper
In this chart, you can see multiple groupings of features offered by VPNs. The features at the top end generally indicate
that the traffic coming from these VPNs is safe. This contrasts with traffic coming from a VPN that has any one of
the features in the bottom grouping. These VPNs should be considered nefarious and potentially be blocked. And the
presence of features in the middle groupings may not by themselves indicate risk, but the combinations of them could be.
To apply these insights to practical use cases, we’ve identified the most commonly used features that help perpetrators
execute their malicious intent for one of the use cases below in figure 7. For example, the unlimited bandwidth feature
is likely limited to users who wish to circumvent streaming media geo restrictions, or for creating and deploying bots. A
streaming company may want to block all traffic from VPNs that support this feature, and prompt users to sign on without
their VPN.
DRM Protection Account Takeover Bot Protection Government Security
Torrenting Allowed (Piracy) X
No Logging Policy X X X X
Smart DNS X X
Streaming Unblocking X
Unlimited Bandwidth X X
Traffic from Sanctioned Countries X X X
Exit Node Selection X X X X
Bulletproof Hosting X X X X
Residential IP Addresses X X
Private Relay X
Residential Proxy X X X
Other Context Related to IP Addresses Associated With VPNs

While some VPN features are generally helpful when evaluating whether to block an IP address associated with that VPN,
some teams may want more context. Fortunately, there are many other pieces of information that can add to the context
about the IP address.
Sometimes an IP address is no longer being used by a VPN or a hosting block, and has circulated back into an ISP block.
Permanently categorizing an IP address with a reputation score can be detrimental to users and therefore, revenues
of companies.
Additionally, it’s important to remember that some IP addresses may be shared by multiple VPN providers within a hosting
White Paper
block. Some of those IP addresses may have been used during a certain time period to execute an attack, but it’s very
possible that they are no longer being used for this purpose. Therefore, the databases that provide Proxy and VPN IP
addresses should take the recency of the IP address and its association to a block into account.
See Figure 8 below with examples of IP addresses associated with VPNs and related information that provides
greater context.
Example 1 Example 2 Example 3 Example 4 Example 5
IP Address: 185.199.103.151 103.224.240.78 166.88.131.177 2605:6400:30:f8b5: 104.144.51.245

620c:dc25:c624:aa
fd
Category: VPN VPN VPN Darknet Proxy
Node Type: Exit Entrance Both (Entrance & Tor-Exit Entrance

Exit)
Protocols: OpenVPN over UDP VPN over TCP Open VPN over UDP TOR over TCP HTTP over TCP
through Port 1194 through Port through Port 1194 through Port Through Port 7776
“unknown” “unknown”
Hostname: N/A in-09.protonvpn. vpn296011200. tor-exit.yomi. N/A

com opengw.net katawaredoki.one
Time Stamp of IP: This IP was first This IP was first This IP was first This IP was first This IP was first
seen with proxy seen with proxy seen with proxy seen with proxy seen with proxy
activity on 2022-10- activity on 2022-02- activity on 2022-04- activity on 2018-03- activity on 2022-09-
08. It was last seen 25. It was last seen 29. It was last seen 01. It was last seen 24. It was last seen
with proxy activity with proxy activity with proxy activity with proxy activity with proxy activity
on 2022-10-15. on 2022-09-02. on 2022-10-15. on 2022-10-17. on 2022-09-26.
Provider: Nord Proton VPNGate, Nord TOR TheSpeedX
Time Stamp of Nord’s proxy activity Proton’s proxy VPNGate’s proxy TOR’s proxy activity The SppedX’s proxy
Provider: for this IP was first activity for this activity for this IP for this IP was first activity for this
seen on 2022-10-08 IP was first seen was first seen on seen on 2022-03-01 IP was first seen
and last seen on on 2022-02-25 2022-04-29. Nord’s and last seen on on 2022-09-24
2022-10-15. and last seen on proxy activity for 2022-10-17. and last seen on
2022-09-02. this IP was first 2022-09-26.
seen on 2022-08-12
and last seen on
2022-10-15.
White Paper
IP Address and Forensics

Ransomware, account takeover, DDoS takedowns, and malware delivery are growing in frequency, making it more vital to
identify anonymous internet traffic. However, once a business falls prey to such an attack, it is important to understand
how it happened. IP address context plays a key role in forensics, so that you can identify gaps in security and prevent
future attacks. Access to the highest quality data that is current and keeps track of these movements of IP addresses
geographically, between hosting blocks, and VPNs helps to ensure that the right lessons can be learned from past attacks
to prevent future ones.
Proxy vs. VPN vs. Darknet
ϐ A VPN is an encrypted connection over the internet from a device to a network — through a single IP address. In
the corporate world, it extends the internal network to, say, an employee’s home so that they can access work files
in a secure manner. A commercial VPN simply creates a tunnel for the user to hide their original location.
ϐ A proxy server is a computer that stands between users and their servers and hides their device IP addresses, but
not all of their web activity.
ϐ A darknet is an overlay network or virtual network within the internet that can only be accessed with specific
software, configurations, or authorization. Darknets often use unique communications protocols.
Proxy IPs and Their Significance

A proxy IP is a technique utilized by users who wish to shield their actual IP addresses during an internet session. A proxy
IP essentially allows a user to surf the web under an alias.
Why is this significant? It isn’t easy to decipher the intent of a user who is hiding their true IP address. Is the user who is
attempting to access your corporate network an employee who is using the Tor browser, or a nefarious actor attempting
to breach your network? Without additional context, it’s impossible to know.
Residential Proxy IPs

Residential Proxy IP networks are networks that utilize the IP addresses of consumers who sign up for any number of
apps that pay them to share their bandwidth. Those apps become gateways for other clients of the app provider. To a
corporate network administrator, a residential proxy IP address looks just like a legitimate residential address.
How do they work? Residential proxy networks route traffic through an intermediary server, which can be any device
capable of receiving and sending internet traffic from one device or website to another.
Where do these networks obtain legitimate residential IP addresses for their networks? There are multiple ways. In some
cases, residential proxy networks provide an SDK to app developers who want to monetize their apps. In some cases, the
network convinces the provider of a browser extension to include their code. And, these networks can leverage a botnet to
obtain residential IPs.
White Paper
Detecting Residential Proxy IPs
All of Digital Element’s datasets - NetAcuity, IPC and Nodify - help customers to identify residential IP proxies.
Each provides insights that enable businesses to identify residential proxy IPs by:
ϐ Understanding the activity level behind an IP address.
ϐ Providing insight into the stability of an IP address, if an IP address has been associated with a specific
city location for weeks at a time and is part of an ISP-provided IP address, there is a high probability that it
is a legitimate, stable IP address belonging to a building in that city.
Suppose a network administrator notices access from an IP address, 86.5.215.174. Is it a residential proxy IP?
The answer is yes. Here’s why:
NetAcuity (IP Address Geolocation Database)
ϐ This IP is operated by UK-based ISP Virgin Media.
ϐ Virgin Media provides fixed connectivity to residences and businesses. This is a residential connection.
ϐ It is allocated to the town of Stevenage, in Hertfordshire, postal code SG2 8EU.
IPC (IP Address Context Database)
ϐ A single device ID has been tied to this IP.
ϐ This IP is servicing a single location.
ϐ This IP has been in that single location for the past 48 weeks
White Paper
Nodify (VPN, Proxies, Darknet Database)
ϐ This IP is a VPN Proxy, acting as an exit node.
ϐ It is in use by a Commercial VPN provider.
ϐ This proxy activity occurred recently.
These pieces of intelligence, when used together, validate that 86.5.215.174 is a residential proxy. NetAcuity and
IPC verified this was a fixed IP tied to a residential connection, while Nodify verified that recent proxy activity
had occurred.
To detect these proxies, we can look at the percentage of residential IPs that are actually stable, and test this
dataset against our IPC Stable IDs dataset (1mo, 3 mo, 6 mo, 1 year) to identify correlations between them.
If the residential proxy IPs are not stable, it is an indication that the providers of these IPs are getting the users to
somehow change IPs frequently, so as not to get caught while staying within the ISP range of IPs.
Time Frame (Weeks Stable) IP Count IP % of Total
0 69 9.815 No Stability
1-4 251 35.704 Very Short Term
5-8 88 12.518 Short Term
9-20 84 11.947 Medium Term
21-40 145 20.623 Long Term
40+ 66 9.387 Very Long Term
703 99.994 Totals
In the chart above, we can observe that Digital Element’s IPC database reflects data from the past 30 days.
To obtain the latest IPC results for ‘Weeks Stable’ (covering the past 30 days), we utilized a sample of 703
Residential Proxy IPs. These IPs were determined to be proxies through a combination of NetAcuity, Nodify, and
IPC data.
White Paper
What are Darknets and How do They Work?

A darknet is an intranet within the internet. It is a layer on top which can only be accessed with specialized software or
routing. It’s called “dark” because in the past they weren’t indexed by search engines (though that is not necessarily true
anymore). Their main focus is anonymity and privacy, not allowing an individual to be identified through their connection.
Most people associate darknets with Tor but there are many other types active in the world today. Most, but not all, are
free to use.
Darknets are networks that require special access permissions or configurations to be able to use them. For example,
to access the Tor network, a user needs to connect via an Exit Node and use the Tor browser, which uses the Tor Hidden
Service Protocol. Alternatively, they could use Tor2Web, but it’s not recommended. The advantage of using Tor or Invisible
internet Project (i2p) is that they can host services within their networks that are difficult to locate. Instead of using an IP
address to connect, these services rely on routing through custom domain names, which the network converts into
a location.
Figure 9: Tor network
White Paper
Chapter Summary
The chapter defines types of proxies and compares their differences, including VPNs, darknets, and residential IP
proxies.The use of VPNs has significantly increased in recent years, driven by factors such as improved user experience,
consumer desire to access restricted content, and anonymity. However, with the growing market, there is a mix of
legitimate and malicious VPN usage, as evidenced by the theft of credentials from popular VPN apps. To effectively
manage VPN traffic, security teams require a nuanced understanding of the market and access to valuable VPN
intelligence data for making informed decisions and preventing potential security breaches.
Digital Element’s Nodify threat intelligence solution identifies and captures the features provided by VPN providers,
enabling users to differentiate between benign VPNs and potentially malicious ones.
The final chapter looks at future developments Digital Element will monitor in the year ahead.
White Paper
6. Parting Thoughts: The Future of IP Geolocation Data

As technology is ever-changing, there are a number of industry dynamics and advancements coming that we are keeping
our eyes on as we enter new phases of our IP address journey. These include:
5G Impact on IP Geolocation Data

We haven’t seen any impact from 5G on how IP addresses are allocated to geographic areas or to which end users they
reach. This connectivity appears to be no different in the previous 3G/4G/LTE protocols.
Despite the hype surrounding 5G technology, it has not yet delivered connection speeds that would replace Wi-Fi. As a
result, many end-users still prefer to use Wi-Fi connections rather than relying on their mobile carrier’s network for internet
access. As 5G-enabled devices become more prevalent, it’s important to consider its impact on wireless home routers,
especially with the rise in mobile carrier offerings of 5G home internet and the increasing volume of mobile phone usage.
Geolocating IP addresses connected to 5G towers may become useful due to 5G’s high frequency and limited range.
Unlike 4G, which has a lower frequency and longer range, 5G is limited to a much shorter range for that level of bandwidth
fidelity. While 5G promises 100GB bandwidth, its shorter range limits coverage to a smaller area. This makes it possible to
more accurately place mobile IPs, but mass deployment of 5G cell towers is still in its early stages.
The one problem with this set up still is that in the transition phase, the blocks of IP addresses that are used by the 5G cell
towers can still be shared with 4G cell towers. This makes it just as futile in using mobile IP addresses for locations as it
is today. So we will watch how this is playing out, as infrastructure investments will potentially change the landscape of IP
address geographic allocation.
IPv6 impact on IP Geolocation Methodology

Eventually, IPv6 should make IPv4 obsolete (that’s certainly the Internet Society’s goal), as we will never run out of the IPv6
space. Currently the world is just under 40% IPv6 adoption, with France in the lead at over 74%, India at 68%, and Germany
at 65%. There has only been an upward trend of adoption due to the IPv4 exhaustion in November 2019. The United States
government has mandated that all its networks will transition to IPv6 by the end of fiscal year 2025. Many agencies are
completing this transition earlier.
That said, IPV6 geographical allocation - and which end users it reaches - doesn’t appear to be any different than IPv4.
Most of the IP geolocation methodology is applicable for IPv6.
Additionally, IPv6 can actually provide more dedicated IP geo allocation compared to IPv4, meaning that a smaller IPv6
block can be dedicated to a single geo-location and in perpetuity. This contrasts with IPv4, where a similar block would
need to account for multiple geo-locations and end users. Main reason for this dynamic nature of IPv4’s stems from the
dearth of available IPv4 addresses when compared to the current and growing number of devices globally. Therefore, this
need to constantly share IPv4s is obviated as there is an almost endless availability of IPv6 addresses.
While this logic is sound in how things will play out, there will always be room for IP addresses that are unable to be
geolocated (for example, if IPv6 is being used as a proxy). Due to the almost unlimited availability of IPv6 addresses and
the ease of not having to share them, they will be a better source of IP-geolocation in the long run. Time will tell as to how
ISPs decide to implement their blocks of IPv6 addresses.
White Paper
IoT and IP Addresses

As mentioned in the introduction, the internet seemed to be at risk of exhausting its supply of IP addresses just as the
Internet of Things (IoT) was emerging. To ensure the internet’s continued growth, the Internet Society introduced IPv6,
which provides an ample supply of IP addresses for all.
IoT devices will experience an increased allocation of dedicated IPv6 addresses for their online connectivity. By 2025,
there will be over 20 billion IoT devices deployed worldwide, ranging from primarily static devices like smart home gadgets
to dynamic-only ones such as wearables and autonomous vehicles. Some devices will fall in between, with a mix of static
and dynamic characteristics, like construction or agricultural equipment. The allocation of IPv6 addresses, typically
within a /64 subnet block, can provide valuable geolocation information for IP addresses, which can be used for
security purposes.
The allocation of IPv6 addresses - within a /64 subnet block should however give clues as to the geolocation of the IP
address which can then be used for security purposes.
Mass Adoption of VPNs

Over the past few years, commercial VPNs like NordVPN and ExpressVPN have rapidly gained popularity, amassing a
significant user base. Their growth shows no sign of slowing down.
Additionally, some such as Apple, Google, and Cloudflare have implemented their own VPNs to aid in user privacy. As
VPNs continue gain momentum, we anticipate it will become increasingly challenging to locate an online user’s
precise geolocation.
New VPN technologies will emerge to bypass restrictions, and other tools will be developed to identify them. This dynamic
resembles the classic cat-and-mouse game. Such capabilities are sometimes created to circumvent censorship-blocking
technologies, while at other times, they aim to access geographically restricted content. Regardless of the purpose,
VPN adoption is expected to rise, and the monitoring of traffic to identify malicious actors attempting to commit crimes
anonymously will continue to grow.
White Paper
Chapter Summary
This chapter looked at five trends Digital Element will monitor over the next year. They are:
ϐ 5G impact on geolocation data. At present there is little impact as it has not replaced Wi-Fi for internet access.
ϐ IPv6 impact on IP Geolocation Methodology. Adoption of IPv6 is on rise, and offers more dedicated IP geolocation
allocation. However, there may still be cases where IP addresses cannot be geolocated, such as when IPv6 is used
as a proxy.
ϐ IoT and IP addresses. IoT devices will benefit from dedicated IPv6 allocation. The allocation of IPv6 addresses
within a /64 block can provide clues about the geolocation of the IP address, which can be used for
security purposes.
ϐ Mass adoption of VPNs. New VPN providers will enter the market in an attempt to circumvent restrictions, and new
solutions will emerge to stop them. This will remain a dynamic sector for the foreseeable future.
Conclusion
The future of IP addresses is important for various vertical markets, such as content protection, digital advertising and
cybersecurity. For content providers it is increasingly becoming a challenge to ensure their investments can be viable
by blocking circumvention of traffic to their content. In digital advertising, privacy is a growing concern, and third-party
cookies are going away. However, there is no personally identifiable information in IP addresses, giving marketers a
reliable, trustworthy and accurate method for serving targeted ads.
Within the cyber security industry, IP addresses are a necessary tool for threat intelligence, with the VPN market becoming
a significant threat vector. It’s important to understand the role of IP addresses in these markets to better navigate privacy
concerns and utilize them effectively for threat intelligence and cybersecurity.

DGL 2310 IPAddAnVPN

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

DGL 2310 IPAddAnVPN

Загружено:

Авторское право:

Доступные форматы

White Paper

The Definitive Guide to

Business Use Cases for IP Address Data

The types of context in this data includes:

ϐ Geolocation data (country, city, ZIP/postal code)

ϐ Proxy data (e.g. masked IP data that can be used by fraudsters)

ϐ Mobile, static, dynamic

ϐ Company name that owns that IP address

ϐ And much more...

The next chapter will discuss the evolution of IP addresses.

2. The Evolution of IP Geolocation Data

How IP Addresses are Assigned to Countries

Figure 1: How IP Addresses are Assigned to Countries

The IP Address Landscape: IPv4 & IPv6

There are three parts to an IPv4 IP address:

Number of IP Addresses in the World

There are several important distinctions between IPv6 and IPv4:

ϐ IPv6 is slightly faster than IPv4 in network devices because it

How do ISPs Decide Which Protocol to Adopt?

IPv6 Tunneling (6to4) and Teredo (4to6)

Network Address Translation (NAT)

defined in RFC1918) and sending them through a routable IP address.

NAT was created as a stop-gap solution to the depleting IPv4 address

Though originally deployed as a stop-gap, this approach turned into

3. IP Address Geolocation Reliability and Vulnerabilities

95% - 99% 55% - 88% 50% - 75%

Figure 2: Accuracy by Granularity

Digital Element’s Growth vs Market Evolution

Limitations of IP Address Geolocation Data

Distinguishing Between Fixed and Mobile IP Addresses

What Role Does Internet Routing Play in Geolocation?

Vulnerabilities Caused by BGP Routing

A few examples of recent large incidents:

The next chapter will delve into the allocation of IP addresses.

4. How IP Addresses are Allocated

IP Address Allocation to Global Regions

IP Address Allocation to ISPs & Larger Companies

Source Country Region City Speed Zip Code Org Netname

HI-FIX ? ? ? ? ? american registry for internet numbers llc net24

Source Country Region City Speed Zip Code Org Netname

HI-FIX ? ? ? ? ? comcast cable communications inc. easternshore-1

Source Country Region City Speed Zip Code Org Netname

HI-FIX ? ? ? ? ? comcast cable communications inc. net24

Source Country Region City Speed Zip Code Org Netname

ARIN usa wa redmond ? 98052 microsoft corporation msft

HI-FIX ? ? ? ? ? microsoft corporation msft

How ISPs Assign IP Addresses

Start IP End IP Geo Postal Conn Speed Conn Type

24.56.64.90 24.56.64.15 usa oh lima 45805 broadband wifi

24.56.64.16 24.56.64.23 usa oh clyde 43410 broadband wired

24.56.64.24 24.56.64.55 usa oh lima 45805 broadband wifi

24.56.64.56 24.56.64.63 usa oh bluffton 45817 broadband wired

24.56.64.64 24.56.64.95 usa oh lima 45805 broadband wifi

24.56.64.96 24.56.64.103 usa oh bowling green 43402 broadband wifi

24.56.64.104 24.56.64.111 usa oh elyria 44035 broadband wired

24.56.64.112 24.56.64.127 usa oh bowling green 43402 broadband wifi

24.56.64.128 24.56.64.183 usa oh lima 45804 broadband wifi

24.56.64.184 24.56.64.191 usa oh columbus 43227 broadband wired

24.56.64.192 24.56.64.215 usa oh ada 45810 broadband wifi

24.56.64.216 24.56.64.223 usa oh arcadia 44804 broadband wired

Start IP End IP Geo Postal Conn Speed Conn Type

24.56.64.224 24.56.64.239 usa oh ada 45810 broadband wifi

24.56.64.240 24.56.64.243 usa oh mansfield 44903 broadband wired