Instead a new trend has emerged, they hide behind rotating residential proxy networks — constantly switching IP addresses while maintaining the same browser fingerprint and session behavior. To traditional security controls, this traffic often appears legitimate.

Today, we’re launching Rotating Residential Proxy (RRP) Detection for FraudGuard customers on Professional plans and above.

While commonly associated with residential proxy networks, this detection method applies to any rotating proxy infrastructure — including residential, commercial, datacenter, or hybrid proxy networks — where IP rotation occurs while maintaining a consistent client fingerprint.

👉 Full API documentation:
View Full RRP API Documentation

Why Rotating Residential Proxies Are Dangerous

Rotating proxy networks are frequently abused to:

• Bypass rate limits
• Evade IP-based security controls
• Automate account takeovers
• Conduct credential stuffing attacks
• Scrape pricing and content at scale
• Create and operate fake accounts

Because the IP addresses belong to real residential ISPs, these attacks often evade simple blocklists and reputation checks.

Attackers rotate IPs rapidly — but the browser fingerprint and session behavior stay the same.

That’s the weakness we target.

What RRP Detection Does

FraudGuard’s RRP Detection monitors client sessions for:

• Multiple distinct public IP addresses
• Observed within a short time window
• While maintaining a stable browser fingerprint

When rotation behavior is detected, FraudGuard generates a structured event with:

• Confidence score (0–100)
• Number of distinct IPs observed
• Full IP list
• Detection reasons
• Timestamp history

Each event is further enriched by FraudGuard’s Attack Correlation Engine (ACE) — a system refined over more than 10 years of global threat analysis. ACE correlates IP intelligence, behavioral patterns, and historical abuse signals to provide deeper context beyond simple IP rotation detection.

This gives your security team clear evidence of proxy-based abuse.

Lightweight Integration

RRP Detection is simple to deploy.

Embed one JavaScript snippet on protected pages:

<script src="https://api.fraudguard.io/js/fg-rrp.js?key=YOUR_PUBLIC_KEY"></script>

That’s it.

No SDKs.
No heavy client fingerprinting libraries.
No invasive data collection.

Behind the scenes, FraudGuard securely ingests session telemetry and evaluates rotation patterns in real time.

Automation & Enforcement

Customers may optionally enable automated enforcement policies that add high-confidence RRP IP addresses directly to their FraudGuard custom blacklist.

Automated enforcement is configured per account. To enable automated blacklist enforcement, please contact hello@fraudguard.io.

Designed for Real-World Abuse

RRP Detection is particularly effective in environments where attackers rely on high-volume automation designed to mimic legitimate user behavior and evade traditional security controls.

Built for Security Teams

RRP Detection integrates seamlessly with:

• Your existing FraudGuard blacklist controls
• Custom enforcement workflows
• Internal automation policies

Events are accessible via API:

• GET /api/rrp/events
• GET /api/rrp/events/<id>

Full documentation:
View Full RRP API Documentation

Available Today

Rotating Residential Proxy Detection is now available to all FraudGuard customers on:

• Professional
• Business
• Enterprise

If you’re already on a qualifying plan, you can deploy today.

If you’re not yet using FraudGuard:

Start your free trial →

Have questions? Reach out to hello@fraudguard.io and our team will help you get started.

FraudGuard’s ThreatMap Render API is designed for fast integration: submit hostnames, IPv4 addresses, or IPv6 addresses, then get back a ready-to-share URL and an embed URL.

👉 Full API documentation:
View ThreatMap Render API Docs

Available today for all Professional, Business, and Enterprise users.

Why This Is So Easy to Integrate

This endpoint does the heavy lifting for you:

• Geolocation and plotting
• Threat context visualization
• Optional summary panel
• Hosted map URL + iframe embed URL

You call one endpoint:

POST https://api.fraudguard.io/api/v1/threatmap/render

And receive a complete map response with links you can immediately use.

Request Payload (Your Main Controls)

Here is the exact request body:

{
  "ips": ["1.20.97.181", "fraudguard.io", "212.102.51.14", "82.25.3.7"],
  "theme": "dark",
  "summary_panel": true,
  "ttl_seconds": 3600
}

What each option does:

• ips: The hostnames, IPv4 addresses, and/or IPv6 addresses you want plotted.
• theme: Supports both light and dark.
• summary_panel: Supports both true and false.
• ttl_seconds: Controls how long the rendered ThreatMap stays accessible.

You can mix hostname, IPv4, and IPv6 values in the same request.

ttl_seconds is especially important for sharing and security.

The URL is randomly generated and remains accessible until TTL expiration.

You can also track expiration directly from expires_at in the response.

Example Render Output

Sample response:

{
  "threatmap_id": "tm_255e3f3779edae10bb2629e9579d8267595c38af4b1f266005cf58a2a95fbb5e",
  "threatmap_url": "https://api.fraudguard.io/threatmap/tm_255e3f3779edae10bb2629e9579d8267595c38af4b1f266005cf58a2a95fbb5e",
  "embed_url": "https://api.fraudguard.io/threatmap/tm_255e3f3779edae10bb2629e9579d8267595c38af4b1f266005cf58a2a95fbb5e/embed",
  "expires_at": "2026-01-03T07:06:21+00:00",
  "requested_count": 4,
  "plotted_count": 4,
  "unmapped_count": 0,
  "options": {
    "theme": "dark",
    "summary_panel": true,
    "ttl_seconds": 3600
  },
  "summary": {
    "countries": 3,
    "top_threats": [
      {
        "threat": "unknown",
        "count": 2
      },
      {
        "threat": "anonymous_tracker",
        "count": 1
      },
      {
        "threat": "spam_tracker",
        "count": 1
      }
    ],
    "policy_counts": {
      "whitelisted": 0,
      "blacklisted": 0,
      "geoblocked": 0
    }
  }
}

What makes this useful in practice:

• threatmap_url: Open and share instantly.
• embed_url: Drop directly into your internal admin tools.
• requested_count, plotted_count, unmapped_count: Quick health check on your input list.
• summary: Immediate top-level intelligence for analysts.

Account-Aware Context on the Map

ThreatMap plotting includes context from your FraudGuard.io account data, including custom list and policy signals.

That includes data points tied to:

• Customer geolocation blocks (geoblocked)
• Customer whitelist matches (whitelisted)
• Customer blacklist matches (blacklisted)

This gives your team a map that is not just geographic, but policy-aware.

Theme and Summary Panel Examples

Light and dark themes are both supported. The summary panel can be enabled or disabled based on your use case.

Embed in Any Dashboard

Use the embed URL directly in an iframe:

<iframe
  src="https://api.fraudguard.io/threatmap/{THREATMAP_ID}/embed"
  width="100%"
  height="600"
  style="border:0"
  loading="lazy"
  referrerpolicy="no-referrer"
  allowfullscreen>
</iframe>

Replace {THREATMAP_ID} with the threatmap_id returned by the API (or use embed_url directly from the response).

Minimal Integration Flow

1. Send POST /api/v1/threatmap/render with your IP list and options.
2. Read threatmap_url / embed_url from the response.
3. Share the URL or embed it in your SOC/admin tooling.

That’s it. No map hosting, no tile rendering work, and no front-end visualization framework required.

Need help integrating ThreatMap Render into your workflow? Reach out at hello@fraudguard.io.

FraudGuard gives teams the intelligence and tooling to enforce IP policy with precision.

Common Reasons Websites Block IPs

• Malicious activity: Malware distribution, phishing, or active exploitation.
• Bot automation: Scraping, brute force attempts, or credential stuffing.
• Fraud prevention: Stolen payment methods and account takeovers.
• DDoS mitigation: Limiting noisy sources before they flood infrastructure.
• Policy enforcement: Country restrictions, licensing rules, or compliance requirements.

The Problem With Blanket Blocking

Overblocking creates support tickets, lost conversions, and frustrated customers. The better approach is risk-based enforcement: block the worst, challenge the suspicious, and allow the rest.

A Risk-Based Blocking Strategy

• Use IP reputation to score risk before you block.
• Check attribution so you understand the network behind the traffic.
• Scale with automation using APIs and bulk workflows.
• Continuously update rules based on new threat signals.

How FraudGuard Helps

FraudGuard provides the intelligence and enforcement workflow teams need to block bad IPs while minimizing false positives:

• IP Lookup for immediate reputation checks
• IP reputation endpoint for real-time automation
• Expand to bulk lookup v3 if you need to evaluate ranges or many IPs at once.
• For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

Summary

Websites block IP addresses to reduce abuse, fraud, and operational risk. The most effective approach is not blanket bans but reputation-driven enforcement. FraudGuard helps you make those decisions quickly and consistently.

Explore the full IP Reputation & Abuse Guide for related topics.

FraudGuard surfaces ASN and network attribution in every lookup so security teams can identify abuse patterns beyond a single IP.

Why ASN Abuse Matters

• Scale: Malicious activity often appears across whole ranges, not just one IP.
• Attribution: ASN data shows which networks are repeatedly associated with abuse.
• Policy enforcement: ASN patterns inform blocking, rate limiting, or monitoring decisions.

Common Signs of ASN Abuse

• Repeated threats from the same ASN across multiple IPs
• Concentrated abuse from hosting or VPS providers
• Recurring bot activity tied to specific network ranges

How to Investigate ASN Abuse

• Start with IP reputation to confirm risk and threat type.
• Check network attribution to see the ASN and provider.
• Expand the search across the ASN or range to verify patterns.
• Apply consistent controls across the offending network.

How FraudGuard Helps

FraudGuard provides attribution and threat intelligence that make ASN-based investigations fast and reliable:

• IP Lookup for immediate ASN and provider context
• Advanced Threat Lookup to research abuse by ASN, ISP, or organization
• Expand to bulk lookup v3 if you need to evaluate ranges or many IPs at once.
• For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

Summary

ASN abuse is a network-level signal that helps you move beyond one-off IP blocks to systematic enforcement. FraudGuard makes it easy to identify abusive networks and respond consistently across entire ranges.

Explore the full IP Reputation & Abuse Guide for related topics.

FraudGuard turns those signals into clear risk context so you can make the call quickly.

A Simple Safety Checklist

• Reputation score: Is the IP associated with known abuse or threats?
• Threat classifications: Proxy, botnet, spam, or other malicious categories?
• Network attribution: Does the ASN or ISP have a history of abuse?
• Behavior patterns: Is this part of a broader pattern or isolated?

Fast Way to Check an IP

• Run a quick check with FraudGuard IP Lookup
• Review threat classifications and reputation in the IP reputation docs
• Expand to bulk lookup v3 if you need to evaluate ranges or many IPs at once.
• For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

Turn Safety Into Action

Once you have the context, pick the response that fits your risk policy:

• Allow if reputation is clean and attribution is trusted.
• Challenge if signals are mixed or suspicious.
• Block if the IP is clearly associated with abuse.

Summary

“Safe” is not a guess. It is a decision based on reputation and context. FraudGuard gives you the risk signals you need to decide confidently and enforce quickly.

Explore the full IP Reputation & Abuse Guide for related topics.

FraudGuard builds IP reputation from real attack telemetry, global honeypot data, and correlated risk scoring so security teams can act quickly and consistently.

What Is IP Reputation?

IP reputation is a risk assessment based on how an IP has been observed over time. It answers questions like:

• Has this IP been linked to abuse or malicious activity?
• Does it belong to a high-risk network or hosting provider?
• Is it associated with known threat categories like bots, proxies, or spam?

Signals That Affect IP Reputation

• Threat classifications: Botnet, proxy, spam, or other abuse types.
• Network attribution: ASN, ISP, organization, and hosting footprint.
• Observed behavior: Repeated malicious activity across time or targets.
• Scale and concentration: Abuse clustered in specific ranges or providers.

How Businesses Use IP Reputation

• Block or challenge risky traffic before it reaches your systems.
• Prioritize investigations when incidents occur.
• Automate policy enforcement at the edge, in WAFs, or within applications.
• Reduce false positives by allowing known-good IPs and partners.

Using FraudGuard for IP Reputation

FraudGuard provides multiple ways to use IP reputation depending on your workflow:

• IP Lookup for quick checks and attribution
• IP reputation endpoint for real-time scoring and classification
• Expand to bulk lookup v3 if you need to evaluate ranges or many IPs at once.
• For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

Summary

IP reputation turns IP addresses into actionable risk signals. When you combine reputation with attribution and threat context, decisions become fast, consistent, and defensible. FraudGuard gives teams the visibility and tooling to operationalize IP reputation at any scale.

Explore the full IP Reputation & Abuse Guide for related topics.

It is available in the FraudGuard app and via API.

What Is IP Dispute Manager?

IP Dispute Manager is a dispute workflow for IP reputation enforcement. It lets blocked users submit a dispute, captures a full context snapshot, and gives your team a clear decision path that updates your custom lists automatically.

The goal is simple: reduce false positives without weakening security.

How It Works

1. Share a public dispute link Each customer gets a unique, BotGuard-protected dispute URL from the app. It is perfect for WAF 403 pages, “access denied” screens, or support workflows where users need a fast way to request an exception.

2. User submits their details The form collects the IP, name, and email. The IP is pre-filled and validated.

3. Context is captured automatically FraudGuard snapshots the full v5 IP reputation context (risk, threat, ASN/ISP, geo, and list membership) at the time of submission.

4. Decide: allowlist, blacklist, or dismiss The customer reviews context in the app (or via API) and chooses the outcome. The decision updates their custom lists immediately.

What You See in the App

• Dispute queue with status filters (pending, allowlisted, blocklisted, dismissed)
• Full IP context snapshot for fast review
• One-click decisions that update allowlist or blacklist

Who Should Use It

• Security teams that need a safe exception path without weakening enforcement
• B2B platforms where partner access must be restored quickly
• Enterprises with compliance or audit requirements for IP decisions

Availability

IP Dispute Manager is available on the Professional plan ($99+) and above.

Summary

IP Dispute Manager is built for the real-world case where a legitimate user gets blocked. It provides a fast, auditable path to correct false positives and keeps enforcement accurate through customer-specific allowlists and blocklists.

Get started in the FraudGuard app or dive into the IP Dispute Manager API documentation.

FraudGuard makes this easy with a public IP Lookup tool and reputation APIs built on real attack telemetry and risk scoring. You can start with a quick lookup and move to bulk or automated enforcement as needed.

What to Look At When Checking an IP

• Reputation and threat context: Look for clear signals about abuse history and threat type.
• Network attribution: Understand the ASN, ISP, and organization behind the IP.
• Patterns at scale: If one IP is bad, its network may be bad too.
• Actionability: You want clear options for block, challenge, or allow.

If you want a broader view of risks and threat categories, this overview explains where most security teams start: FraudGuard.io Threats & Risks documentation.

Step-by-Step: How to Check if an IP Is Malicious

1. Run a quick lookup

Start with FraudGuard IP Lookup for up to 10 IPs or hostnames. No registration or payment required.

2. Review reputation and attribution

Check the risk signal and network details (ASN, ISP, Org) to understand ownership and context.

3. Pull threat-specific detail

Use the IP reputation endpoints to see threat classifications and supporting evidence where available.

4. Expand to bulk or CIDR

If you are handling many IPs, use bulk lookup or CIDR expansion to cover full ranges quickly.

For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

5. Investigate patterns

If you see repeated abuse from a provider, ASN, or region, use advanced filters to confirm and respond consistently.

Make the Decision: Block, Challenge, or Allow

Once you have reputation, attribution, and context, the decision becomes clear:

• Block IPs with consistent malicious activity.
• Challenge suspicious traffic that needs verification.
• Allow known-good IPs, with optional whitelisting.

FraudGuard gives you enforcement-ready data so your response is fast and consistent across teams.

Operationalize at Scale

For recurring security workflows, FraudGuard supports bulk pipelines and offline data so you can enforce rules across SIEM, firewall, and internal analytics systems. Learn more at FraudGuard IP Lookup.

Summary

Checking whether an IP is malicious starts with reputation and context, and ends with clear action. FraudGuard provides the lookup, scoring, and enforcement workflows to turn suspicious traffic into confident decisions.

Explore the full IP Reputation & Abuse Guide for related topics.

FraudGuard helps security teams separate legitimate privacy use from high-risk VPN activity by correlating reputation signals, threat classifications, and network attribution in real time.

In ACE, 81% of IPs tagged vpn_tracker have proxied attacker requests in the last 90 days. That signal is why our default recommendation is to challenge VPN traffic first, then block only when attack activity is confirmed.

Why Sites Block VPN IPs

• Abuse concentration: A small number of VPN exit nodes can generate a large amount of malicious traffic.
• Credential abuse: Attackers use VPNs to hide origin during credential stuffing and account takeovers.
• Bot automation: VPNs are often paired with scripts and headless tools for scraping and abuse.
• Policy enforcement: Some services restrict access by region, licensing terms, or compliance rules.
• Risk scoring: IP reputation systems flag VPN nodes when they are associated with abuse.

How to Detect VPN Risk Without Overblocking

• Check reputation first: Not all VPN traffic is malicious. Risk scoring is the most reliable signal.
• Use threat context: Look for proxy, botnet, spam, or abuse classifications.
• Attribute the network: ASN and ISP data reveal whether the source is a common hosting or VPN provider.
• Apply tiered responses: Challenge vpn_tracker IPs by default, block only when ACE confirms specific attacks, and allow known-good IPs.

How FraudGuard Helps

FraudGuard provides VPN-aware reputation signals and threat classifications so you can make fast decisions without overblocking.

• IP Lookup for quick checks and attribution
• IP reputation endpoint for automation and enforcement
• Advanced Threat Lookup to investigate patterns by ASN, ISP, or region
• Expand to bulk lookup v3 if you need to evaluate ranges or many IPs at once.
• For large-scale enforcement, the Offline Threat Database provides a near real-time copy of ACE.

Summary

VPN IPs are often challenged because they can concentrate abuse, obscure origin, and amplify automated attacks. The right approach is not a blanket ban, but challenge-first enforcement and blocking only when ACE confirms specific attacks. FraudGuard gives you the reputation context to make those decisions quickly and consistently.

Explore the full IP Reputation & Abuse Guide for related topics.

FraudGuard has been operating continuously for more than a decade now, and during that time we’ve done one thing exceptionally well: observe attackers at scale, refine our understanding of their behavior, and turn that knowledge into reliable, actionable intelligence for customers. The honeypot and Attack Correlation Engine (ACE) architecture that powers FraudGuard today is the result of years of iteration, tuning, and real-world validation, not a short-term research project or a recently assembled dataset.

At its core, FraudGuard operates what we believe to be one of the largest and most mature honeypot networks operating today—not just in terms of raw IP space, but in depth, longevity, and behavioral coverage.

Built for Longevity, Not Optics

From day one, FraudGuard was designed to look ordinary.

Our honeypot infrastructure spans vast amounts of routable IP space leased through long-standing datacenter partners, many of whom have been allocating address space for decades. These are not ephemeral, burstable cloud-only blocks that rotate every few weeks. They are stable, geographically diverse networks with realistic routing histories exactly the kind of infrastructure attackers already target.

This long-lived footprint matters. Attackers behave differently when they believe they are interacting with real infrastructure, and FraudGuard’s network is intentionally designed to blend into the background noise of the internet rather than announce itself as research tooling.

AI-Verified Traffic at Global Scale

Operating at this scale means not all traffic is worth keeping.

FraudGuard uses AI-assisted verification pipelines to analyze inbound traffic hitting our honeypot collection nodes. These systems help us differentiate between ambient internet noise, benign misconfiguration, and intentional hostile behavior allowing us to focus on traffic that demonstrates intent, persistence, and pattern.

This verification step is a critical reason FraudGuard data remains clean, consistent, and dependable for customers. Intelligence quality is not defined by how much you collect, it’s defined by how well you filter and contextualize it.

At peak operation, FraudGuard processes millions of discrete datapoints every day across this verification layer. AI-assisted analysis allows us to evaluate this volume continuously prioritizing high-signal activity while ensuring that short-lived anomalies and long-running attack campaigns are both captured accurately.

Expanding the Attack Surface

FraudGuard does not rely solely on passive observation.

Portions of our infrastructure are designed to understand how attackers discover and exploit exposed credentials and access artifacts in the wild. This includes carefully controlled, intentionally seeded API keys and service identifiers placed in public code repositories such as GitHub and GitLab. These artifacts are scoped to prevent real-world harm, while allowing us to observe attacker workflows once discovery occurs.

This approach provides insight into:

• Credential harvesting automation
• Replay behavior and timing
• Tooling reuse across campaigns
• Infrastructure shared between unrelated attacks

Importantly, FraudGuard operates this capability responsibly. Outbound interaction from our network is tightly controlled, legally compliant, and intentionally limited, ensuring that we never meaningfully participate in attacks or facilitate harm. The purpose is observation, attribution, and intelligence—not engagement.

ACE: Where History Matters

Raw attack data becomes exponentially more valuable when it’s connected over time.

FraudGuard’s Attack Correlation Engine (ACE) is the system that transforms isolated events into meaningful threat intelligence. ACE evaluates IP addresses across multiple dimensions: time, attack type, frequency, infrastructure reuse, cross-vector behavior, etc.

IPs that repeatedly appear across:

• Different attack classes
• Separate honeypot surfaces
• Long time horizons
• Coordinated activity clusters

naturally escalate in risk. This historical context is why FraudGuard customers consistently report lower false positives and higher confidence decisions. ACE doesn’t react to a single event; it recognizes patterns.

As a result, IPs within ACE may persist for vastly different lifespans. Some appear only briefly, active for a matter of hours before disappearing; while others demonstrate sustained, relentless behavior and remain visible across the system for months or even years. This temporal diversity is a core strength of ACE, allowing it to reflect the true lifecycle of modern attackers rather than forcing every signal into a fixed window.

A Small Window Into a Very Large System

Until recently, nearly all of this infrastructure operated behind the scenes. Recently, we’ve opened a tiny public window into the FraudGuard honeypot network and ACE processing pipeline.

Our ThreatView page provides a real-time visualization of live attack activity flowing through FraudGuard’s infrastructure. It’s a curated view but it reflects the same data sources, verification logic, and correlation principles that power our intelligence products.

What you see there represents only a fraction of what FraudGuard processes every day but it’s a glimpse into a system that’s been quietly observing, learning, and evolving for more than a decade.

If you’d like to explore this data firsthand, you can start with ThreatView or create a free FraudGuard.io trial to access our threat intelligence APIs. If you have questions along the way, reach us anytime at hello@fraudguard.io.