Skip to main content
Threat Detection

ISP & ASN Reputation Database

Assess risk at the network level with reputation profiles for 471 ISPs and Autonomous Systems. Download the database and query it locally to enrich every IP lookup with network intelligence.

View Pricing All Threat Types
471
ISP Profiles
50+
Risk Signals
Monthly
Database Updates

How ISP & ASN reputation scoring works

Every IP address on the internet belongs to an Autonomous System (AS) operated by an ISP, hosting provider, or organization. By profiling these networks, you can assess risk before even looking at individual IP behavior.

1

ASN Registry Analysis

We analyze data from all five Regional Internet Registries (ARIN, RIPE, APNIC, AFRINIC, LACNIC) to build a complete picture of who operates each ASN, what IPs they announce, and how their network is structured.

2

Network Type Classification

Each ASN is classified by its primary function: residential broadband, mobile carrier, business enterprise, hosting provider, educational institution, or government network. This classification is critical for risk assessment.

3

Abuse History Scoring

We track abuse reports, spam blacklists, and threat intelligence feeds to calculate an abuse score for each ASN. Networks with a history of hosting malicious activity receive higher abuse scores.

4

Monthly Reputation Refresh

Network reputations change over time as ISPs improve or deteriorate their abuse handling. Our database is refreshed monthly with updated abuse scores, network classifications, and new ASN registrations.

Example ASN reputation profiles

AS7922

Comcast Cable

Low Risk
Type: Residential Country: US Abuse: 12/100
AS16509

Amazon (AWS)

Medium Risk
Type: Hosting Country: US Abuse: 45/100
AS44477

Stark Industries (Bullet-proof)

Critical Risk
Type: Hosting Country: MD Abuse: 92/100

Scores are illustrative. Actual values update monthly.

What's included in the database

The ISP & ASN Reputation database is delivered as CSV and JSON files. Each record represents an Autonomous System with its classification, abuse score, and metadata.

Field Type Description
asn integer The Autonomous System Number (e.g., AS13335 for Cloudflare, AS16509 for Amazon)
asn_name string Registered name of the ASN (e.g., "CLOUDFLARENET", "AMAZON-02")
isp_name string Human-readable ISP or organization name
type enum Classification: residential, business, hosting, education, government, mobile
country string Country where the ISP is headquartered (ISO 3166-1 alpha-2)
abuse_score integer Abuse reputation score from 0 (clean) to 100 (high abuse)
is_hosting boolean Whether the ASN is primarily a hosting or cloud provider
is_mobile boolean Whether the ASN is a mobile carrier network
total_ips integer Total number of IP addresses announced by this ASN
risk_level enum Overall risk classification: low, medium, high, critical
471
ASN Profiles
CSV & JSON
Data Formats
Monthly
Update Frequency

Use cases for ISP reputation data

Network-level intelligence adds a powerful signal to your fraud detection stack. Knowing the reputation of the source network helps you make better decisions, faster.

Network-Level Fraud Scoring

Use ISP reputation as a signal in your fraud scoring model. Traffic from high-abuse hosting providers warrants more scrutiny than traffic from established residential ISPs.

Hosting Provider Identification

Immediately identify when traffic comes from AWS, GCP, Azure, or any of hundreds of hosting providers. Legitimate users rarely access web applications from cloud servers.

Geographic Risk Profiling

Combine ISP data with geographic information to build richer risk profiles. Understand whether an IP belongs to a local residential ISP or an offshore hosting provider.

Mobile vs. Desktop Verification

Distinguish mobile carrier traffic from broadband and hosting traffic. A "mobile" user accessing your app from a datacenter IP is a red flag worth investigating.

Rate Limiting by Network

Apply different rate limits based on the source network. Residential ISPs get generous limits, while known high-abuse hosting providers get tighter restrictions.

Attack Surface Reduction

Block entire ASNs known for persistent abuse when under attack. Network-level blocking is far more efficient than blocking individual IPs when dealing with distributed attacks.

Enrich IP lookups with network reputation

Combine the ISP reputation database with an IP-to-ASN mapping to add network intelligence to every request. Two database lookups give you the ISP name, type, abuse score, and risk level.

PHP - ASN Reputation Lookup 
prepare(
        "SELECT asn FROM ip_to_asn
         WHERE ip_start <= INET6_ATON(:ip)
           AND ip_end   >= INET6_ATON(:ip)
         LIMIT 1"
    );
    $stmt->execute(['ip' => $ip]);
    $asn_row = $stmt->fetch(PDO::FETCH_ASSOC);
    if (!$asn_row) return null;

    // Step 2: Get the reputation profile for this ASN
    $stmt = $pdo->prepare(
        "SELECT asn, isp_name, type, country, abuse_score,
                is_hosting, is_mobile, risk_level
         FROM isp_reputation WHERE asn = :asn"
    );
    $stmt->execute(['asn' => $asn_row['asn']]);
    return $stmt->fetch(PDO::FETCH_ASSOC) ?: null;
}

// Usage: enrich your fraud scoring with ISP data
$ip = $_SERVER['REMOTE_ADDR'];
$isp = get_isp_reputation($pdo, $ip);

if ($isp) {
    $fraud_score = 0;

    // Hosting provider traffic is suspicious for user-facing apps
    if ($isp['is_hosting']) $fraud_score += 30;

    // High abuse score adds to risk
    if ($isp['abuse_score'] > 70) $fraud_score += 25;
    elseif ($isp['abuse_score'] > 40) $fraud_score += 10;

    // Critical risk networks
    if ($isp['risk_level'] === 'critical') $fraud_score += 40;

    // Combine with other signals (VPN check, email check, etc.)
    $total_risk = calculate_total_risk($fraud_score, $other_signals);
}
Python - Enriching Requests with ISP Data 
import sqlite3
import ipaddress

DB_PATH = "antiproxies_isp.db"

def get_isp_info(ip: str) -> dict | None:
    """Look up ISP reputation for an IP address."""
    conn = sqlite3.connect(DB_PATH)
    conn.row_factory = sqlite3.Row
    ip_int = int(ipaddress.ip_address(ip))

    # Step 1: IP to ASN
    asn_row = conn.execute(
        "SELECT asn FROM ip_to_asn WHERE ip_start <= ? AND ip_end >= ? LIMIT 1",
        (ip_int, ip_int)
    ).fetchone()

    if not asn_row:
        conn.close()
        return None

    # Step 2: ASN reputation
    isp = conn.execute(
        """SELECT asn, isp_name, type, country, abuse_score,
                  is_hosting, is_mobile, risk_level
           FROM isp_reputation WHERE asn = ?""",
        (asn_row["asn"],)
    ).fetchone()

    conn.close()
    return dict(isp) if isp else None

# Example: Django middleware that tags every request with ISP info
class ISPReputationMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        isp = get_isp_info(request.META.get("REMOTE_ADDR", ""))
        request.isp_info = isp
        request.is_high_risk_network = (
            isp and (isp["is_hosting"] or isp["abuse_score"] > 60)
        )
        return self.get_response(request)

Related reading

Blog

ISP Reputation Scoring: A Practical Guide

How to classify networks, build risk profiles, and use ISP reputation in production.

 Blog

What Is IP Reputation and Why It Matters

The signals that feed IP reputation and how to use them for fraud prevention.

 Blog

Datacenter IPs vs Residential IPs

What traffic classification tells you about your visitors and how to act on it.

 Glossary

IP Reputation

How IP reputation scoring works and why it matters for fraud prevention.

Want to see what's in the database?

Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.

View Pricing Contact Us
30-day money-back guarantee
All databases included
Monthly updates