Check a whole list of IPs in one pass

Paste up to 25 IPs or upload a CSV and get location, network, and VPN, proxy, Tor, and hosting flags for every row. Results in seconds, downloadable as CSV. No signup required.
Paste your IP list to check
No list handy?
Load a sample list
Check all IPs
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Up to 25 IPs per run, free. Bigger lists: IP Intelligence API
Checking your list
5
Results:
ip address
Is Tor:
Is Tor
Country:
Country
Is Proxy:
Is Proxy
Is VPN:
Is VPN:
Get free credits, more data, and faster results

What a bulk IP lookup returns

A bulk IP lookup takes a list of IP addresses, one per line or in a CSV column, and runs the same checks against every one: where the IP is located, which network operates it, and whether it carries VPN, proxy, Tor, or hosting signals. Instead of pasting addresses into a single-IP checker dozens of times, you process the whole list in one pass and download the results.

Each row returns three groups of fields. Location: the country and city the IP resolves to. Network: the ASN that announces the IP and what kind of operator it is. Risk signals: true or false flags for VPN, proxy, Tor exit node, and datacenter hosting. The data comes from the same dataset that powers Abstract's IP Intelligence API, covering over 4 billion IPv4 and IPv6 addresses and refreshed continuously.

How the bulk IP checker works

Paste your list or upload a CSV, and the checker runs three steps:

  1. Parse and dedupe. The checker extracts every valid IPv4 and IPv6 address from your input, drops duplicates and malformed entries, and shows the count before the run starts.
  2. One request per IP. Each address runs through the same check the single-IP tools on this site use: location, network attribution, and VPN, proxy, Tor, and hosting signals returned together for each row.
  3. Review and export. Results stream into the table as they complete, and failed rows are marked rather than dropped, so the output always lines up with your input. Download the full table as a CSV when the run finishes.

Most rows resolve in under a second, and a full run of 25 IPs typically finishes in about 15 seconds. The free tool is rate limited, and the limits are stated next to the button, with no surprises after you paste a list.

Reading the flags in your results

The four risk flags describe how an IP connects, not who is behind it. VPN means the address belongs to a commercial VPN provider's range. Proxy means requests are forwarded through an intermediary. Tor means the IP is a current Tor exit node. Hosting means it belongs to a datacenter or cloud provider rather than a consumer ISP.

A single flag is not a verdict. Plenty of legitimate traffic comes from VPNs, corporate egress points sit in datacenters, and monitoring services live on hosting IPs by design. Treat each flag as one input and read it against what the row is doing in your system.

The pattern that deserves attention is concentration. If a third of the signups in your list resolve to one hosting provider, or a cluster of accounts shares a VPN range in a country you do not serve, you are usually looking at automation rather than customers.

That is why the list view beats the row view. A bulk lookup turns anecdotes into distributions: how much of your traffic is datacenter-originated, which networks keep reappearing, where your risky rows cluster. Those distributions are what you act on.

Use cases for bulk IP lookup

Log triage after an incident: Export the source IPs from your auth or WAF logs and run the batch. Tor exits, datacenter ranges, and VPN providers separate from residential traffic in one pass, and the network column shows whether an attack came from one operator or many.

Ad fraud and click audits: Check the IPs behind a suspicious spike in clicks or installs. Concentrations of hosting and proxy flags across a list are the signature of bot traffic, and the CSV export drops straight into your reporting.

Signup list screening: Run the IPs behind a batch of new accounts before they reach your product. Rows that stack VPN, hosting, and geography mismatches are your review queue for fake-account and trial-abuse patterns.

Vendor and traffic-quality checks: Auditing a purchased lead list or a new traffic source? Location and network type per row shows whether the residential traffic you paid for actually is residential.

See what the API returns

Every check in your list returns this structured JSON through the IP Intelligence API, from one request to millions per month.

Response parameters

ip_address

String
The IP address submitted for geolocation.

security.is_vpn

Boolean
Whether the IP address is being used from a VPN.

security.is_proxy

Boolean
Whether the IP address is being used from a Proxy.

security.is_tor

Boolean
Whether the IP address is part of the TOR network.

security.is_hosting

Boolean
Whether the IP address is an internet service hosting IP address.

security.is_relay

Boolean
Whether the IP address is being used as a relay server.

security.is_mobile

Boolean
Whether the IP address belongs to a mobile network.

security.is_abuse

Boolean
Whether the IP address has been flagged for abusive behavior.

asn.asn

Integer
The Autonomous System Number (ASN) associated with the IP address.

asn.name

String
The name of the organization or ISP associated with the ASN.

asn.domain

String
The domain associated with the ASN.

asn.type

String
The type of organization, such as ISP or hosting.

company.name

String
The name of the company associated with the IP address.

company.domain

String
The company's domain name.

company.type

String
The type of company, such as ISP or hosting.

domains.domains

Array
A list of domains associated with the IP address.

location.city

String
City's name.

location.city_geoname_id

Integer
City's geoname ID.

location.region

String
State or province in which the city is located.

location.region_iso_code

Integer
State or province's ISO 3166-2 code.

location.region_geoname_id

String
State or province's geoname ID.

location.postal_code

String
ZIP or postal code.

location.country

String
Country's name.

location.country_code

Integer
Country's ISO 3166-1 alpha-2 code.

location.country_geoname_id

Integer
Country's geoname ID.

location.is_country_eu

Boolean
True if the country is in the EU, false if it is not.

location.continent

String
Continent's name.

location.continent_code

String
2 letter continent code: AF, AS, EU, NA, OC, SA, AN.

location.continent_geoname_id

Integer
Continent's geoname ID.

location.longitude

Float
Decimal of the longitude.

location.latitude

Float
Decimal of the latitude.

timezone.name

String
Timezone's name from the IANA Time Zone Database.

timezone.abbreviation

String
Timezone's abbreviation, also from the IANA Time Zone Database.

timezone.utc_offset

Integer
The UTC offset for the timezone.

timezone.local_time

String
Current time in the local time zone.

timezone.is_dst

Boolean
True if the location is currently in Daylight Savings Time (DST).

flag.emoji

String
Country's flag as an emoji.

flag.unicode

String
Country's flag in unicode.

flag.png

String
Link to a hosted version of the country's flag in PNG format.

flag.svg

String
Link to a hosted version of the country's flag in SVG format.

currency.name

String
The currency's name.

currency.code

String
The currency's code in ISO 4217 format.

currency.symbol

String
The currency's symbol.

API Endpoint

curl --request GET \
  --url https://ip-intelligence.abstractapi.com/v1

API Response

{
"ip_address": "185.197.192.65",
"security": {
    "is_vpn": true,
    "is_proxy": true,
    "is_tor": false,
	"is_hosting": false,
	"is_relay": false,
	"is_mobile": false,
	"is_abuse": false,
},
"asn": {
    "asn": 136787,
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"company": {
    "name": "PacketHub S.A.",
    "domain": "packethub.tech",
    "type": "isp",
},
"domains": {
	"domains": []
},
"location": {
    "city": "Miami",
    "city_geoname_id": 4164138,
    "region": "Florida",
    "region_iso_code": "FL",
    "region_geoname_id": 4155751,
    "postal_code": "33197",
    "country": "United States",
    "country_code": "US",
    "country_geoname_id": 6252001,
    "is_country_eu": false,
    "continent": "North America",
    "continent_code": "NA",
    "continent_geoname_id": 6255149,
    "longitude": -80.1946,
    "latitude": 25.7689,
},
"timezone": {
    "name": "America/New_York",
    "abbreviation": "EST",
    "utc_offset": -5,
    "local_time": "12:07:51",
    "is_dst": false,
},
"flag": {
    "emoji": "🇺🇸",
    "unicode": "U+1F1FA U+1F1F8",
    "png": "https://static.abstractapi.com/country-flags/US_flag.png",
    "svg": "https://static.abstractapi.com/country-flags/US_flag.svg",
},
"currency": {
    "name": "US Dollar",
    "code": "USD",
    "symbol": "$"
}
}

Bulk IP lookup FAQ

What data comes back for each IP?

Every row returns location fields (country and city), network attribution (the ASN name and type), and four risk flags: VPN, proxy, Tor exit node, and datacenter hosting. The same fields are available programmatically through Abstract's IP Intelligence API, which adds region, coordinates, ISP details, and abuse signals.

How many IPs can I check at once?

The free tool accepts up to 25 IPs per run, pasted one per line or uploaded as a CSV. Duplicates and invalid entries are removed before the run starts, so the cap applies to unique valid addresses. For bigger lists, the IP Intelligence API processes from one request to millions per month.

Is the bulk IP lookup free?

Yes. The tool on this page is free with no signup required. Free runs are capped at 25 IPs and rate limited per day. For programmatic access, the IP Intelligence API has a free tier with 1,000 requests per month and pay-as-you-go pricing above that.

Where does the data come from?

Location and network data come from Abstract's IP Intelligence dataset, which maps over 4 billion IPv4 and IPv6 addresses and is refreshed continuously. VPN, proxy, and hosting flags come from curated provider-range and datacenter data, and the Tor flag comes from the public Tor exit-node list. Every check runs against current data, not a stale snapshot.

Can I upload a CSV?

Yes. Upload any CSV or text file and the checker extracts every valid IP address it finds, whichever column it sits in. Headers, extra columns, and blank lines are ignored. Results download as a clean CSV with one row per IP.

Can I use this for bulk IP geolocation only?

Yes. If you only need location data, read the country and city columns and ignore the flags. If you need region, postal code, coordinates, or timezone per IP, the IP Geolocation API returns the full location object for every address, with the same free tier to start.

Run this at production scale
stars rating
4.8 from 1,863 votes
One request per IP through the IP Intelligence API. Free tier with 1,000 requests per month, no credit card required.
get free api key
No credit card required