VPN Endpoint

• IP address resolves to a known commercial VPN provider ASN (Mullvad, NordVPN, ExpressVPN, Private Internet Access, etc.)
• Reverse DNS hostname contains keywords: vpn, exit, node, relay, server
• IP geolocation mismatches with other session signals (device language, timezone, browser locale)
• Multiple distinct accounts accessing services from the same VPN exit IP within a short window
• Low IP reputation score from commercial fraud detection APIs (IPQualityScore, MaxMind, Spur)
• Whois organization field lists a VPN provider or a known VPN infrastructure company

Check VPN status using commercial APIs

# IPQualityScore VPN/proxy detection
API_KEY="your_key"
IP="185.195.232.5"
curl -s "https://ipqualityscore.com/api/json/ip/$API_KEY/$IP" \
  | jq '{vpn, proxy, tor, fraud_score}'

# ipinfo.io privacy detection
curl -s "https://ipinfo.io/$IP/json?token=your_token" | jq '.privacy'

ASN-based VPN detection

import ipaddress
# Maintain a list of known VPN provider ASNs
VPN_ASNS = {9009, 20473, 24961, 60068, 212238}  # examples

def is_vpn_asn(asn: int) -> bool:
    return asn in VPN_ASNS

Spur.us feed integration (enterprise)

# Spur provides structured VPN/residential proxy/Tor data
# Download daily feed and query locally for zero-latency lookups
curl -H "Token: $SPUR_TOKEN" \
  "https://feeds.spur.us/v2/anonymous-residential/latest.json.gz" \
  -o /tmp/spur_feed.json.gz

1. Apply risk-based scoring: Rather than blocking all VPN traffic, use commercial IP reputation APIs to assign a risk score and apply proportional friction (CAPTCHA, MFA, review queue) for high-risk sessions.
2. Detect geolocation inconsistencies: Flag sessions where the IP geolocation contradicts device signals (system timezone, browser locale, accept-language headers). Require additional verification.
3. Account-level monitoring: Track how many accounts access your service from a single VPN exit IP within a rolling time window. Alert on anomalies that suggest shared credential use.
4. Enforce policy for regulated content: For age verification, export-controlled content, or geo-licensed media, VPN detection is a required compliance control — consult legal counsel on appropriate enforcement.
5. Allow legitimate use where possible: Enterprise VPN users and privacy-conscious users are often legitimate customers. Avoid blanket blocks that damage user experience without meaningful security gain.
6. Keep VPN IP lists updated: Commercial VPN providers add and remove exit nodes frequently. Use feeds that update daily or in real time rather than static block lists.

Netflix VPN Detection Campaign (2016): Netflix announced it would begin enforcing geo-restrictions by detecting and blocking VPN and proxy traffic. The move came under pressure from content licensors. VPN providers responded with obfuscation techniques (residential IP pools, obfs4 protocols), sparking an ongoing detection arms race.

Online Exam Proctoring VPN Evasion (2020): During the COVID-19 pandemic shift to online proctoring, researchers documented students using VPN services to route traffic through IPs in countries with lower fraud scores, bypassing behavioral baselines established by proctoring platforms. This led platforms to incorporate device fingerprinting and multi-modal verification beyond IP-based signals.