GhostProxies Icon GhostProxies

IP Address Proxy History and Risk Analysis Data

GhostProxies scans the public internet and maintains a historical log of proxy servers to calculate IP-based risk levels that help block cyber attacks and reduce fraud with less false positives.

123 0 11 79 58 190 100 53 91 242 33 31 Lookup

API

Request

https://ghostproxies.com/api/ is the API endpoint URL.

A token field is required as either an HTTP header, a GET field or a POST field in left-to-right descending order of precedence. The value is an authentication token generated from a user account.

The API pricing is $0.0008 per credit. Each input IP address included in input_ip_addresses costs 1 credit.

It accepts the following optional arguments as either GET or POST fields. If both are set, POST fields will overwrite GET fields.

input_ip_addresses is the list of public IPv4 addresses to look up, each separated by a non-alphanumeric string. Each value must be formatted as an x.x.x.x IP address or a x.x.x.x/y CIDR block. The suffix value y must be greater than or equal to 24 and less than or equal to 32. The maximum amount of IP addresses per request is 1024. The default value is the public IP address of the client.

output_ip_addresses_proxies_first_confirmed_timestamp_range_maximum is the largest timestamp allowed for when the first open proxy was confirmed in input_ip_addresses. The default value is the current timestamp.

output_ip_addresses_proxies_first_confirmed_timestamp_range_minimum is the smallest timestamp allowed for when the first open proxy was confirmed in input_ip_addresses. The default value is 0.

output_ip_addresses_proxies_last_confirmed_timestamp_range_maximum is the largest timestamp allowed for when the last open proxy was confirmed in input_ip_addresses. The default value is the current timestamp.

output_ip_addresses_proxies_last_confirmed_timestamp_range_minimum is the smallest timestamp allowed for when the last open proxy was confirmed in input_ip_addresses. The default value is 0.

output_ip_addresses_proxies_ports is the list of listening port numbers allowed for confirmed open proxy gateways in input_ip_addresses, each separated by a non-numeric string. Each maximum value is 65535 and each minimum value is 0. The default value is all ports.

output_ip_addresses_proxies_protocols is a list of protocols allowed for confirmed open proxy gateways in input_ip_addresses, each separated by a non-alphanumeric string. Each value must be http, https, socks4 or socks5. The default value is all protocols.

An example request is demonstrated with fake IP addresses using the following POST data in a JavaScript object.

{ "input_ip_addresses": "10.0.0.1,10.0.0.2 _-_- 192.168.0.0/24", "output_ip_addresses_proxies_first_confirmed_timestamp_range_maximum": "1672603688", "output_ip_addresses_proxies_first_confirmed_timestamp_range_maximum": "1704139688", "output_ip_addresses_proxies_last_confirmed_timestamp_range_maximum": "1672603688", "output_ip_addresses_proxies_last_confirmed_timestamp_range_maximum": "1704139688", "output_ip_addresses_proxies_ports": " , , ,80-1080 --- -- -", "output_ip_addresses_proxies_protocols": "http, https_-_-_socks5" }

Response

Each response contains the following fields.

output_ip_addresses is the array of output_ip_addresses_count number results.

label is the associated public IP address in x.x.x.x format.

proxies is the array of each confirmed open proxy as a combination of a port and a protocol.

first_confirmed_timestamp is the timestamp of when the first instance of an open proxy was confirmed on the label IP address.

last_confirmed_timestamp is the timestamp of when the last instance of an open proxy was confirmed on the label IP address.

port is the listening port number of the confirmed open proxy on the label IP address. Each maximum value is 65535 and each minimum value is 0.

protocol is the protocol of the confirmed open proxy on the label IP address. Each value is either http, https, socks4 or socks5.

proxies_first_confirmed_timestamp is the timestamp of when the first instance of any open proxy was confirmed on the label IP address.

proxies_last_confirmed_timestamp is the timestamp of when the last instance of any open proxy was confirmed on the label IP address.

proxies_ports_mapped_to_proxies is the array of each port key mapped to each proxy index value in proxies.

proxies_protocols_mapped_to_proxies is the array of each protocol key mapped to each proxy index value in proxies.

risk_level is the calculated risk level number of the label IP address. 0 is the lowest risk and 2 is the highest risk.

version is the IP version number of the adjacent label IP address. Each value is either 4 as IPv4 or 6 as IPv6.

An example response from the aforementioned example request is demonstrated with the following data in JSON format.

{ "output_ip_addresses": [ { "label": "10.0.0.1", "proxies": [ { "first_confirmed_timestamp": "1691482088", "last_confirmed_timestamp": "1691482088", "port": 80, "protocol": "http" }, { "first_confirmed_timestamp": "1691482088", "last_confirmed_timestamp": "1691482088", "port": 1080, "protocol": "http" }, { "first_confirmed_timestamp": "1691482088", "last_confirmed_timestamp": "1691482088", "port": 1080, "protocol": "socks5" } ], "proxies_first_confirmed_timestamp": "1691482088", "proxies_last_confirmed_timestamp": "1691482088", "proxies_ports": [ "80", "1080" ], "proxies_ports_mapped_to_proxies"": { "80": [ 0 ], "1080": [ 1, 2 ] }, "proxies_protocols": [ "http", "socks5" ], "proxies_protocols_mapped_to_proxies": { "http": [ 0, 1 ], "socks5": [ 2 ] }, "risk_level": 1, "version": 4 } ], "output_ip_addresses_labels_mapped_to_output_ip_addresses": { "10.0.0.1": 0 }, "output_ip_addresses_proxies_first_confirmed_timestamp": "1721717610", "output_ip_addresses_proxies_last_confirmed_timestamp": "1721717610", "status_message": "Success." }

Explanation

Are any of your IP addresses haunted by a "ghost proxy"?

GhostProxies refines IP address blacklisting methodology and increases the value of IP addresses by acknowledging the evolution of abuse compliance and enforcement tactics.

Illegal botnets on hacked user devices with unblockable residential IP addresses are being replaced with compliant, ethical, exclusive proxy networks that scrape website data for reputable businesses. ISPs and law enforcement are constantly taking down illegal botnets while allowing and monitoring compliant ones.

Blacklisting a residential IP creates more problems than it solves with too many false positives.

Furthermore, malicious VPN and authenticated proxy usage from hosting providers can be traced back to consumers through abuse reports, payment information and usage patterns, resulting in alternative enforcement based on RIR allocation policies, anti-bot technology, geolocation sanctions and vendor usage policies.

Blocking and filtering these instances based on IP address history data creates false positives and ruins the integrity of scarce IP addresses when they're allocated to other customers.

As a result, GhostProxies only focuses on IP addresses with a history of open proxy usage to ensure 100% accuracy and transparency during risk analyses.

When an IP address is exposed to the public on an open proxy listening port, hundreds of malicious hackers can hypothetically use stolen or unauthenticated WiFi and connect through the listening open proxy port to conduct fraudulent activity without accountability.

This all happens in a short period of time while new open proxy servers are created every minute.

These proxy servers end up on frequently-updated proxy lists. GhostProxies parses these lists and performs a deep scan to confirm which IP addresses are actually hosting functional open proxy servers.

From this information, GhostProxies calculates a proprietary risk level metric in real time and maintains a historical database of these "ghosts" left behind from proxies that appeared on any and all public IP addresses. Risk levels can fluctuate based on confirmation frequency and cooldown periods.

0 is low risk, 1 is medium risk and 2 is high risk. These 3 actionable risk levels are clearly-defined for practical implementations as opposed to percentage-based heuristics that require users to make their own complicated risk calculations without the source data.

This unique data is available in an API as a reliable "first line of defense" in automated website security and as a supplemental improvement to IP blacklist aggregation services that already provide their own metrics to consumers.