跳转到内容
POST AI agent ready /v1/ip-blocklist/check

IP Blocklist Check API - Detect Bogons and Suspicious Hosts

Runs four checks on an IPv4 address: RFC1918 private ranges, bogon ranges (TEST-NET, CGNAT, multicast, reserved), reverse DNS (PTR), and suspicious hostname keywords (tor, proxy, vpn, spam, etc.). Returns a risk level (low/medium/high) plus the raw check results. IPv6 is not supported.

Parameters

stringrequired

IPv4 address to check.

Code examples

curl -X POST https://api.botoi.com/v1/ip-blocklist/check \
  -H "Content-Type: application/json" \
  -d '{"ip":"185.220.101.5"}'

When to use this API

Filter signup traffic from bogon networks

Reject signups where the client IP is in a bogon range. These are reserved or undeliverable networks (TEST-NET, 169.254/16, multicast) and almost always indicate a misconfigured proxy or spoofed header.

Rate-limit Tor and known-proxy traffic separately

Route IPs with suspicious hostnames (tor-exit-*, *.proxy.*, *vpn*) into a tighter rate-limit bucket. Legitimate Tor users still get access; automated abuse gets throttled.

Enrich your application logs

For every high-value event (password reset, admin action, large refund), call this endpoint and log the risk_level and reverse DNS. Gives your SOC team a head start during incident triage.

Frequently asked questions

Why is IPv6 not supported?
The bogon and private-range CIDR tables are IPv4-only in this implementation. IPv6 bogon lists exist but change frequently; a dedicated IPv6 endpoint is on the roadmap.
What makes a hostname "suspicious"?
The reverse DNS is checked for keywords: tor, exit, relay, proxy, vpn, anonymiz, spam, abuse, malware, botnet, hack. A match promotes the risk level to high. Clean hostnames (like "ec2-*.amazonaws.com") do not trigger the flag.
How is the risk level calculated?
Low by default. Promoted to medium if the IP is in a private or bogon range. Promoted to high if the reverse DNS contains a suspicious keyword, regardless of the range checks.
Does this query third-party threat feeds?
No. All checks run against built-in CIDR tables and a Cloudflare DNS PTR lookup. For deeper threat-intel enrichment combine this with /v1/vpn-detect/check and /v1/ip-whois/lookup.
Why is 192.0.2.1 flagged as bogon?
192.0.2.0/24 is TEST-NET-1 per RFC 5737. It is reserved for documentation and must not appear on the public internet. Seeing it as a source IP means the client is spoofed or the request passed through a broken proxy.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs