A bulk IP lookup takes a list of IP addresses, one per line or in a CSV column, and runs the same checks against every one: where the IP is located, which network operates it, and whether it carries VPN, proxy, Tor, or hosting signals. Instead of pasting addresses into a single-IP checker dozens of times, you process the whole list in one pass and download the results.
Each row returns three groups of fields. Location: the country and city the IP resolves to. Network: the ASN that announces the IP and what kind of operator it is. Risk signals: true or false flags for VPN, proxy, Tor exit node, and datacenter hosting. The data comes from the same dataset that powers Abstract's IP Intelligence API, covering over 4 billion IPv4 and IPv6 addresses and refreshed continuously.
Paste your list or upload a CSV, and the checker runs three steps:
Most rows resolve in under a second, and a full run of 25 IPs typically finishes in about 15 seconds. The free tool is rate limited, and the limits are stated next to the button, with no surprises after you paste a list.
The four risk flags describe how an IP connects, not who is behind it. VPN means the address belongs to a commercial VPN provider's range. Proxy means requests are forwarded through an intermediary. Tor means the IP is a current Tor exit node. Hosting means it belongs to a datacenter or cloud provider rather than a consumer ISP.
A single flag is not a verdict. Plenty of legitimate traffic comes from VPNs, corporate egress points sit in datacenters, and monitoring services live on hosting IPs by design. Treat each flag as one input and read it against what the row is doing in your system.
The pattern that deserves attention is concentration. If a third of the signups in your list resolve to one hosting provider, or a cluster of accounts shares a VPN range in a country you do not serve, you are usually looking at automation rather than customers.
That is why the list view beats the row view. A bulk lookup turns anecdotes into distributions: how much of your traffic is datacenter-originated, which networks keep reappearing, where your risky rows cluster. Those distributions are what you act on.
Log triage after an incident: Export the source IPs from your auth or WAF logs and run the batch. Tor exits, datacenter ranges, and VPN providers separate from residential traffic in one pass, and the network column shows whether an attack came from one operator or many.
Ad fraud and click audits: Check the IPs behind a suspicious spike in clicks or installs. Concentrations of hosting and proxy flags across a list are the signature of bot traffic, and the CSV export drops straight into your reporting.
Signup list screening: Run the IPs behind a batch of new accounts before they reach your product. Rows that stack VPN, hosting, and geography mismatches are your review queue for fake-account and trial-abuse patterns.
Vendor and traffic-quality checks: Auditing a purchased lead list or a new traffic source? Location and network type per row shows whether the residential traffic you paid for actually is residential.
curl --request GET \
--url https://ip-intelligence.abstractapi.com/v1{
"ip_address": "185.197.192.65",
"security": {
"is_vpn": true,
"is_proxy": true,
"is_tor": false,
"is_hosting": false,
"is_relay": false,
"is_mobile": false,
"is_abuse": false,
},
"asn": {
"asn": 136787,
"name": "PacketHub S.A.",
"domain": "packethub.tech",
"type": "isp",
},
"company": {
"name": "PacketHub S.A.",
"domain": "packethub.tech",
"type": "isp",
},
"domains": {
"domains": []
},
"location": {
"city": "Miami",
"city_geoname_id": 4164138,
"region": "Florida",
"region_iso_code": "FL",
"region_geoname_id": 4155751,
"postal_code": "33197",
"country": "United States",
"country_code": "US",
"country_geoname_id": 6252001,
"is_country_eu": false,
"continent": "North America",
"continent_code": "NA",
"continent_geoname_id": 6255149,
"longitude": -80.1946,
"latitude": 25.7689,
},
"timezone": {
"name": "America/New_York",
"abbreviation": "EST",
"utc_offset": -5,
"local_time": "12:07:51",
"is_dst": false,
},
"flag": {
"emoji": "🇺🇸",
"unicode": "U+1F1FA U+1F1F8",
"png": "https://static.abstractapi.com/country-flags/US_flag.png",
"svg": "https://static.abstractapi.com/country-flags/US_flag.svg",
},
"currency": {
"name": "US Dollar",
"code": "USD",
"symbol": "$"
}
}Every row returns location fields (country and city), network attribution (the ASN name and type), and four risk flags: VPN, proxy, Tor exit node, and datacenter hosting. The same fields are available programmatically through Abstract's IP Intelligence API, which adds region, coordinates, ISP details, and abuse signals.
The free tool accepts up to 25 IPs per run, pasted one per line or uploaded as a CSV. Duplicates and invalid entries are removed before the run starts, so the cap applies to unique valid addresses. For bigger lists, the IP Intelligence API processes from one request to millions per month.
Yes. The tool on this page is free with no signup required. Free runs are capped at 25 IPs and rate limited per day. For programmatic access, the IP Intelligence API has a free tier with 1,000 requests per month and pay-as-you-go pricing above that.
Location and network data come from Abstract's IP Intelligence dataset, which maps over 4 billion IPv4 and IPv6 addresses and is refreshed continuously. VPN, proxy, and hosting flags come from curated provider-range and datacenter data, and the Tor flag comes from the public Tor exit-node list. Every check runs against current data, not a stale snapshot.
Yes. Upload any CSV or text file and the checker extracts every valid IP address it finds, whichever column it sits in. Headers, extra columns, and blank lines are ignored. Results download as a clean CSV with one row per IP.
Yes. If you only need location data, read the country and city columns and ignore the flags. If you need region, postal code, coordinates, or timezone per IP, the IP Geolocation API returns the full location object for every address, with the same free tier to start.