Anonymizing network
An anonymizing network is anything that sits between the user and your service to hide where the connection really comes from. Rupt classifies every IP and exposes four checks for it: ip_is_vpn, ip_is_proxy, ip_is_tor, and ip_is_hosting.
Using one isn't proof of bad intent. Plenty of ordinary people run a VPN for privacy or to reach their work network. But anonymizers are also the default tooling for account takeover, scraping, and fraud, because hiding the source IP is step one of not getting caught.
The kinds Rupt detects
- VPN: a tunnel that swaps the user's real IP for the VPN server's. Consumer VPNs (NordVPN, ExpressVPN, and the like) run from datacenter ranges Rupt recognizes. Residential or mobile VPNs route through real home and carrier IPs to look like ordinary users, which makes them harder to spot and a favorite of higher-effort fraud.
- Proxy: a relay that forwards requests on the user's behalf. Open and rotating proxies are the workhorses of scraping, since they spread traffic across many addresses to dodge rate limits.
- Tor: the onion network. Traffic exits through public Tor nodes that are easy to identify, so a Tor exit IP is unambiguous about wanting anonymity.
- Hosting / datacenter: the IP belongs to a cloud provider, not a residential ISP. Real customers rarely browse from a server, so datacenter traffic is one of the strongest automation tells.
Using it
Each flag is its own policy condition, so you can treat them differently. A common pattern is to tolerate VPNs (real users have them) but challenge or block Tor and datacenter traffic on sensitive actions. The flags also weight into risk scores: an anonymizer turns an otherwise ordinary new IP or impossible travel event into a much sharper signal.
- Need help? Contact support.
- Want to see Rupt in action? Request a demo.
- Questions? Talk to sales.
- Check out our changelog.
- Check our status page.
- LLM? Read llms.txt.