Skip to content

ipanalytics/ASN-VPN-Network-Intelligence

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
asn_multi_provider.csv
asn_multi_provider.csv
 
 
vpn-ip.csv
vpn-ip.csv
 
 

Repository files navigation

VPN Network Intelligence

License Dataset Exports Focus

VPN Network Intelligence publishes operational CSV datasets derived from observed VPN infrastructure activity.

The repository focuses on ASN-level provider overlap and IPv4 network ranges associated with VPN provider infrastructure. The datasets are intended for fraud detection, abuse prevention, enrichment pipelines, network analytics, and infrastructure research.

Primary outputs:

  • asn_multi_provider.csv
  • vpn-ip.csv

Overview

VPN providers frequently share infrastructure across the same hosting networks, autonomous systems, and datacenter ranges.

This repository aggregates provider observations into lightweight operational datasets that can be consumed directly by SIEM pipelines, fraud engines, enrichment services, and analytics workflows.

The project intentionally publishes infrastructure indicators rather than binary reputation decisions.

Dataset Architecture

            VPN Infrastructure Sources
                         │
        ┌────────────────┼────────────────┐
        │                │                │
        ▼                ▼                ▼
   Provider Signals   ASN Mapping     Range Analysis
        │                │                │
        └────────────────┴───────┬────────┘
                                 ▼
                        Aggregation Layer
                   provider overlap analysis
                                 ▼
                          CSV Exports
                                 ▼
                    Fraud / SIEM / Analytics

Published Files

File Description
asn_multi_provider.csv ASNs where multiple VPN providers were observed
vpn-ip.csv IPv4 /24 ranges containing observed VPN infrastructure

ASN Multi-Provider Dataset

asn_multi_provider.csv identifies autonomous systems where infrastructure from multiple VPN providers has been observed.

Columns

Column Description
ASN Autonomous System Number
Org ASN organization name
IPs Observed VPN IP count
Providers Distinct VPN providers observed
Names Comma-separated provider names

Example

ASN,Org,IPs,Providers,Names
212238,CDNEXT,"5,263",22,"Astrill, CactusVPN, CyberGhost, ExpressVPN, Hide.me"

VPN Range Dataset

vpn-ip.csv publishes IPv4 /24 ranges containing observed VPN provider infrastructure.

The dataset is intentionally range-oriented to support lightweight enrichment, aggregation, and routing analysis workflows.

Columns

Column Description
range IPv4 /24 network range

Example

range
1.2.3.0/24
5.6.7.0/24

Usage Examples

Download ASN dataset

curl -fsSLO \
  https://raw.githubusercontent.com/ipanalytics/vpn-network-intelligence/main/asn_multi_provider.csv

Download VPN ranges

curl -fsSLO \
  https://raw.githubusercontent.com/ipanalytics/vpn-network-intelligence/main/vpn-ip.csv

Extract high-density VPN ASNs

awk -F, '$4 >= 10 { print }' asn_multi_provider.csv

Search for a provider

grep -i "NordVPN" asn_multi_provider.csv

Operational Use Cases

Domain Example
Fraud Detection VPN infrastructure risk scoring
Abuse Prevention Shared-hosting VPN detection
SIEM Enrichment ASN-level infrastructure context
Network Intelligence Provider overlap analysis
Threat Hunting Infrastructure clustering
Analytics VPN hosting concentration tracking

Design Goals

  • lightweight machine-readable exports
  • infrastructure-focused aggregation
  • low operational overhead
  • Git-native dataset publication
  • reproducible CSV generation
  • enrichment-oriented outputs

Dataset Semantics

ASN-Level Data

asn_multi_provider.csv indicates that multiple VPN providers were observed within the same ASN.

It does not imply:

  • every IP in the ASN belongs to a VPN provider
  • every provider uses every subnet in the ASN
  • all traffic from the ASN should be blocked

The dataset is intended as infrastructure context.

Range-Level Data

vpn-ip.csv indicates that at least one observed VPN provider IP existed within the published /24.

The ranges should be treated as probabilistic indicators suitable for:

  • scoring
  • enrichment
  • review queues
  • telemetry correlation

not as standalone enforcement decisions.

Operational Notes

  • VPN infrastructure changes frequently
  • Providers rotate datacenter allocations over time
  • Shared hosting environments are common
  • Multiple providers may legitimately overlap within the same ASN
  • Observed infrastructure does not inherently imply malicious activity

Integration Targets

Common deployment scenarios include:

  • SIEM enrichment
  • ClickHouse pipelines
  • Kafka stream enrichment
  • fraud/risk scoring systems
  • API gateway filtering
  • proxy detection
  • telemetry classification

Repository Layout

.
├── asn_multi_provider.csv
├── vpn-ip.csv
├── scripts/
├── docs/
├── LICENSE
└── README.md

Roadmap

Planned additions:

  • ASN historical deltas
  • IPv6 support
  • provider metadata normalization
  • compressed bulk exports
  • confidence weighting
  • overlap trend analysis

License

Licensed under CC0-1.0.

See LICENSE.

Disclaimer

This repository publishes observational VPN infrastructure indicators for operational and analytical use. Consumers are responsible for validating suitability within their own environments.

About

This repository publishes two CSV files generated from a VPN infrastructure collector

Topics

provider vpn asn

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors