Anonymous IP detection
Arbitex enriches every incoming request’s source IP address with network intelligence, including anonymous traffic detection. When the MaxMind Anonymous IP database is configured, Arbitex identifies whether the request originates from a VPN service, public proxy, Tor exit node, or hosting/datacenter provider. This information is attached to the audit log entry for every request and is surfaced in the admin portal’s org health view.
What the Anonymous IP database detects
Section titled “What the Anonymous IP database detects”The MaxMind Anonymous IP database (GeoIP2-Anonymous-IP.mmdb) classifies IP addresses across four categories:
| Flag | Description | Example sources |
|---|---|---|
is_vpn | IP belongs to a known VPN service | Consumer VPN providers, corporate VPN egress |
is_proxy | IP is a known public proxy | Open proxy servers, residential proxy networks |
is_tor | IP is a Tor exit node | Tor network exit relays |
is_hosting | IP is a hosting provider or datacenter | AWS EC2, Azure VM, GCP, DigitalOcean, Hetzner |
Each flag is a boolean. An IP can be flagged as multiple categories simultaneously — for example, a VPN provider operating out of a datacenter would set both is_vpn and is_hosting.
When the Anonymous IP database is not loaded, all four flags are null in the audit log. The system degrades gracefully and continues processing requests.
How it appears in the audit log
Section titled “How it appears in the audit log”Each audit log entry includes an ip_enrichment object containing all enrichment fields. The anonymous IP flags are nested within it:
{ "request_id": "req_01abc123", "user_id": "user_01def456", "timestamp": "2026-03-10T16:30:00Z", "action_taken": "ALLOW", "ip_enrichment": { "country_code": "NL", "country_name": "Netherlands", "city": "Amsterdam", "isp": "Mullvad VPN", "is_vpn": true, "is_proxy": false, "is_tor": false, "is_hosting": true, "asn": 9009, "asn_org": "M247 Europe SRL" }}A null value for any flag means the Anonymous IP database was not loaded or the IP was not found in the dataset — it does not mean the flag is false.
Filtering anonymous traffic in the audit log
Section titled “Filtering anonymous traffic in the audit log”Use the ip_enrichment fields as filter parameters when querying the audit log API:
# All requests from VPN sourcesGET /api/admin/audit-logs?ip_is_vpn=true&limit=100
# All requests from Tor exit nodesGET /api/admin/audit-logs?ip_is_tor=true&limit=100
# Requests from anonymous sources that triggered a DLP actionGET /api/admin/audit-logs?ip_is_vpn=true&action=dlp_trigger&limit=100Admin UI: Navigate to Admin > Audit Log, open the filter panel, and enable the VPN, Proxy, Tor, or Hosting filter chips. You can combine anonymous IP filters with other filters (user, group, action, date range).
Org health dashboard
Section titled “Org health dashboard”The Admin > Health page shows a summary of anonymous traffic volume for the organization:
- Anonymous IP requests (last 7 days): total request count originating from VPN/proxy/Tor/hosting IPs
- Tor requests: count of requests from Tor exit nodes (typically expected to be near zero in enterprise environments)
- VPN requests: count, with trend over the last 7 days
These metrics refresh automatically every 60 seconds.
Compliance use cases
Section titled “Compliance use cases”GLBA — suspicious activity monitoring
Section titled “GLBA — suspicious activity monitoring”The Gramm-Leach-Bliley Act requires financial institutions to monitor for suspicious access to customer financial information. Requests to access or process financial data originating from Tor exit nodes or known VPN services may represent unauthorized access attempts.
Filter the audit log for ip_is_tor = true or ip_is_vpn = true combined with entity_type = credit_card OR bank_account to identify potentially suspicious access. Review these entries as part of your GLBA information security program.
PCI DSS — network access monitoring
Section titled “PCI DSS — network access monitoring”PCI DSS Requirement 10 requires logging and monitoring of all access to cardholder data. Requests involving payment card data from anonymous or high-risk IP addresses (VPN, Tor, hosting providers) warrant enhanced scrutiny.
Export audit records with ip_is_vpn = true OR ip_is_tor = true as part of your quarterly PCI log review. The is_hosting flag is also relevant — requests originating from datacenter IPs outside your approved infrastructure may indicate use of unauthorized automation.
General — policy enforcement
Section titled “General — policy enforcement”You can configure policy rules to apply different enforcement to anonymous traffic. For example, to require admin approval (PROMPT) for any request from a Tor exit node:
{ "name": "tor-exit-node-review", "conditions": { "ip_is_tor": true }, "action": { "type": "PROMPT" }}Or to require an override reason for VPN-sourced requests accessing sensitive data:
{ "name": "vpn-sensitive-data-override", "conditions": { "ip_is_vpn": true, "entity_types": ["credit_card", "ssn", "bank_account"] }, "action": { "type": "ALLOW_WITH_OVERRIDE" }}See Policy rule reference for the full list of IP enrichment conditions.
Configuration
Section titled “Configuration”The Anonymous IP database is configured separately from the main GeoIP City database:
| Environment variable | Description |
|---|---|
GEOIP_MAXMIND_ANON_PATH | Path to the MaxMind Anonymous IP MMDB file (GeoIP2-Anonymous-IP.mmdb) |
GEOIP_MAXMIND_PATH | Path to the MaxMind GeoIP2 City MMDB file (primary geo enrichment) |
Both variables are optional. The system starts normally when either or both are absent, with the corresponding enrichment fields returning null.
Example (SaaS platform, via environment):
GEOIP_MAXMIND_PATH=/data/geoip/GeoIP2-City.mmdbGEOIP_MAXMIND_ANON_PATH=/data/geoip/GeoIP2-Anonymous-IP.mmdbThe files are loaded at startup and cached in memory. All lookups are served from the in-memory cache (128,000-entry TTL cache, 4-hour TTL). No network calls are made for IP lookups.
Checking database health
Section titled “Checking database health”The /health endpoint reports the status of each GeoIP dataset:
GET /api/health{ "geoip": { "health": "ok", "geo_source": "maxmind", "maxmind_healthy": true, "anon_healthy": true, "asn_healthy": true, "arin_healthy": false }}anon_healthy: true confirms the Anonymous IP database loaded successfully. anon_healthy: false means the database is not loaded and all anonymous IP flags will be null.
Hot-reloading the database
Section titled “Hot-reloading the database”MaxMind releases updated databases on the first Tuesday of each month. To update without restarting the process, send SIGHUP:
kill -HUP $(cat /var/run/arbitex-platform.pid)The dataset is atomically swapped and the lookup cache is flushed. Requests continue to be served during the reload — there is no interruption.
Data source
Section titled “Data source”Anonymous IP detection uses the MaxMind Anonymous IP database (GeoIP2-Anonymous-IP.mmdb), a commercially licensed dataset updated monthly. MaxMind maintains this database by analyzing routing data, voluntary disclosures from VPN providers, and active network probing.
The database is a local MMDB file (no API calls). All lookups are performed offline within the Arbitex process.
Data accuracy: MaxMind’s Anonymous IP database covers the major commercial VPN services and well-known Tor exit nodes. Coverage of residential proxy networks and smaller VPN providers may be incomplete. The null return on an uncategorized IP does not guarantee the traffic is non-anonymous.
See also
Section titled “See also”- GeoIP enrichment admin guide — full GeoIP enrichment reference including country, city, ISP, ASN, and ARIN org fields
- Policy rule reference — using IP enrichment fields as rule conditions
- ALLOW_WITH_OVERRIDE governance — require override justification for anonymous-sourced requests
- Audit log — filtering and exporting audit records
- Compliance frameworks — GLBA and PCI DSS requirements