VPN & proxy detection

Arcjet provides IP reputation information in two places:

Decisions after calling protect() include IP address analysis fields. You can use this to customize responses. See the SDK reference for details e.g. Next.js.
Arcjet Filters have access to IP address analysis. You can use this to block traffic.

Available data

IP AS type. This is the Autonomous System associated with the IP, which can be used to identify VPNs and proxies. This can be one of isp, hosting, business or education.
IP type. Arcjet adds one or more categories to the IP address to help you identify VPNs and proxies. The categories are vpn, proxy, tor, hosting, relay.

Available fields

Filters	Decision
`ip.src.asnum.country`	`ip.asnCountry`
`ip.src.asnum.domain`	`ip.asnDomain`
`ip.src.asnum.name`	`ip.asnName`
`ip.src.asnum.type`	`ip.asnType`
`ip.src.asnum`	`ip.asn`
`ip.src.service`	`ip.service`
`ip.src.hosting`	`ip.isHosting()`
`ip.src.proxy`	`ip.isProxy()`
`ip.src.relay`	`ip.isRelay()`
`ip.src.tor`	`ip.isTor()`
`ip.src.vpn`	`ip.isVpn()`

Checking for data

The IP analysis fields may be undefined, but you can use various methods to check their availability. See the SDK reference for details.

1
// ... imports, client configuration, etc
2
// See https://docs.arcjet.com/get-started
3
const decision = await aj.protect(req);
4

5
if (decision.ip.hasASN() && decision.ip.asnType === "hosting") {
6
  // The network this IP belongs to is a hosting provider, which makes it more
7
  // likely to be a VPN, proxy, or other suspicious network.
8
}
9

10
if (
11
  decision.ip.isHosting() ||
12
  decision.ip.isProxy() ||
13
  decision.ip.isRelay() ||
14
  decision.ip.isTor() ||
15
  decision.ip.isVpn()
16
) {
17
  // The IP is from a hosting provider, proxy, relay, Tor, or VPN. We can check the name
18
  // of the service and customize the response
19
  if (decision.ip.hasService()) {
20
    if (decision.ip.service === "Apple Private Relay") {
21
      // We trust Apple Private Relay because it requires an active iCloud
22
      // subscription, so we can allow it
23
    } else {
24
      // Do something else
25
    }
26
  } else {
27
    // The service name is not available, but we can still do something here
28
  }
29
}

Examples

Block VPN traffic

Filter rules can be used to block traffic based on IP reputation:

1
// …
2
rules: [
3
  filter({
4
    deny: ['ip.src.vpn'],
5
    mode: "LIVE",
6
  })
7
],
8

9
// …
10

11
const decision = await aj.protect(req);
12

13
if (decision.isDenied()) {
14
  // Return 403 Forbidden
15
}

Customize response for Apple Private Relay

The ip field on a decision can be used to customize the response based on IP reputation:

1
// …
2
const decision = await aj.protect(req);
3

4
if (decision.isDenied()) {
5
  // Handle your other configured rules here.
6
}
7

8
// Otherwise, customize for Apple Private Relay:
9
if (decision.ip.service === "Apple Private Relay") {
10
  return new Response("Hello, Apple Private Relay user!");
11
}