ipasis
Blog/Technical Guide

IP Classification Guide: Detecting Mobile, Residential, and Datacenter IPs

December 24, 20258 min read

Accurate IP classification is the cornerstone of modern threat intelligence. Distinguishing between a user on a cellular network, a home connection, or a server farm allows security engineers to enforce contextual policies—such as blocking scraping bots (Datacenter) while reducing friction for legitimate mobile users.

This guide details the technical characteristics of these connection types and demonstrates how to implement detection logic.

The Anatomy of Connection Types

1. Datacenter IPs

Origin: Cloud hosting providers (AWS, GCP, DigitalOcean), colocation centers, and VPN endpoints.

  • Technical Signature: Static IPs, high bandwidth, low latency, adjacent subnets often owned by the same entity.
  • Risk Profile: High. These IPs are the primary source of automated attacks, credential stuffing, and scraping. They rarely represent legitimate human browsing behavior unless associated with an enterprise VPN.

2. Residential IPs

Origin: ISPs providing connectivity to homeowners (Comcast, AT&T, Deutsche Telekom).

  • Technical Signature: Often dynamic (DHCP), associated with consumer-grade ASNs. Reverse DNS (PTR) records typically follow patterns like pool-x-x-x-x.isp.com.
  • Risk Profile: Low to Medium. While generally trusted, residential IPs are increasingly co-opted by proxy networks (RESIPs) via malware or unethical SDKs, allowing bots to route traffic through legitimate user devices.

3. Mobile IPs

Origin: Cellular networks (4G/5G) via Mobile Network Operators (T-Mobile, Vodafone).

  • Technical Signature: extensive use of CGNAT (Carrier-Grade NAT). A single public IP may represent thousands of distinct devices simultaneously. High IP rotation frequency.
  • Risk Profile: Low. Blocking mobile IPs carries a high risk of false positives due to shared infrastructure.

Detection Methodologies

Reliable detection requires a multi-layered approach involving ASN analysis, WHOIS data mining, and network fingerprinting. Reliance on local MaxMind databases alone often results in stale data regarding proxy usage.

Autonomous System Number (ASN) Analysis

Every IP belongs to an Autonomous System (AS). The AS organization type is the strongest indicator of IP classification.

  • Datacenter: ASNs registered to hosting companies (e.g., AS16509 Amazon.com).
  • ISP/Mobile: ASNs registered to telecommunications providers.

TCP/IP Stack Fingerprinting

Mobile devices, desktop OSs, and Linux servers (bots) exhibit distinct TCP stack behaviors. Analyzing the Initial Congestion Window (IW), MTU size, and TCP options order can validate if the traffic matches the claimed IP type.

Implementation Logic (Python)

Building an in-house detection engine requires aggregating BGP feeds and WHOIS data. However, for production environments, querying an enriched IP intelligence API is standard to ensure low latency and real-time accuracy.

Below is a Python implementation pattern using a dedicated intelligence provider to make routing decisions based on connection type.

import requests
import json

def classify_traffic(ip_address, api_key):
    # Endpoint for IPASIS or similar intelligence API
    url = f"https://api.ipasis.com/v1/{ip_address}"
    headers = {"X-API-Key": api_key}

    try:
        response = requests.get(url, headers=headers, timeout=1.5)
        response.raise_for_status()
        data = response.json()

        # Extract connection attributes
        asn_type = data.get('asn', {}).get('type') # e.g., 'isp', 'hosting', 'business'
        is_mobile = data.get('connection', {}).get('is_mobile', False)
        is_proxy = data.get('security', {}).get('is_proxy', False)

        # Security Logic Enforcement
        if is_proxy:
            return "BLOCK: Proxy Detected"
        
        if asn_type == 'hosting':
            return "CHALLENGE: Datacenter Traffic"
            
        if is_mobile:
            return "ALLOW: Mobile Traffic (Low Friction)"
            
        return "ALLOW: Standard Residential"

    except requests.exceptions.RequestException as e:
        # Fail open or closed depending on security posture
        return "ERROR: Lookup Failed"

# Example Usage
verdict = classify_traffic("203.0.113.45", "YOUR_API_KEY")
print(verdict)

Handling CGNAT and Mobile Rotation

Mobile IPs present a specific engineering challenge: Carrier-Grade NAT. Because thousands of users share one IP, rate-limiting based solely on IP address will inadvertently block legitimate users (collateral damage).

Strategy:

  1. Detect Mobile: Identify the connection_type as cellular.
  2. Pivot Fingerprint: If mobile, shift rate-limiting logic from IP-based to Session-based (Cookies, JWTs) or Device-Fingerprint-based.
  3. Do Not Blacklist: Never permanently blacklist a mobile IP; the malicious actor will rotate out, and a legitimate user will inherit the IP seconds later.

FAQ

Q: Can I detect connection types using only Regex on Hostnames? A: No. While regex on PTR records (e.g., looking for awslambda) helps, it is insufficient. Many hosting providers have generic or missing RDNS records. ASN classification is required for accuracy.

Q: How accurate is GeoIP for connection type detection? A: GeoIP databases focus on location, not connection topology. You specifically need an ISP/ASN database to determine if an IP is residential or datacenter.

Q: Why are Residential Proxies harder to detect? A: They route traffic through real user devices. Detection requires analyzing TCP signatures, MTU mismatches, and behavioral velocity rather than just IP ownership.

Secure Your Infrastructure

Stop relying on stale databases and guesswork. IPASIS provides enterprise-grade IP intelligence with real-time detection for proxies, VPNs, and connection types.

Get your API Key and start filtering traffic programmatically today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key