https://github.com/ipanalytics/asn-vpn-network-intelligence

This repository publishes two CSV files generated from a VPN infrastructure collector
https://github.com/ipanalytics/asn-vpn-network-intelligence

asn provider vpn

Last synced: 22 days ago
JSON representation

This repository publishes two CSV files generated from a VPN infrastructure collector

• Host: GitHub
• URL: https://github.com/ipanalytics/asn-vpn-network-intelligence
• Owner: ipanalytics
• License: other
• Created: 2026-05-14T08:33:50.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2026-05-19T08:19:23.000Z (28 days ago)
• Last Synced: 2026-05-19T09:57:29.664Z (28 days ago)
• Topics: asn, provider, vpn
• Homepage:
• Size: 68.4 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# VPN Network Intelligence



  

    

  

 

  

    

  

  

    

  

  

    

  



---

VPN Network Intelligence publishes operational CSV datasets derived from observed VPN infrastructure activity.

The repository focuses on ASN-level provider overlap and IPv4 network ranges associated with VPN provider infrastructure. The datasets are intended for fraud detection, abuse prevention, enrichment pipelines, network analytics, and infrastructure research.

Primary outputs:

* `asn_multi_provider.csv`

* `vpn-ip.csv`

---

## Overview

VPN providers frequently share infrastructure across the same hosting networks, autonomous systems, and datacenter ranges.

This repository aggregates provider observations into lightweight operational datasets that can be consumed directly by SIEM pipelines, fraud engines, enrichment services, and analytics workflows.

The project intentionally publishes infrastructure indicators rather than binary reputation decisions.

---

## Dataset Architecture

```text id="pxjlwm"

            VPN Infrastructure Sources

                         │

        ┌────────────────┼────────────────┐

        │                │                │

        ▼                ▼                ▼

   Provider Signals   ASN Mapping     Range Analysis

        │                │                │

        └────────────────┴───────┬────────┘

                                 ▼

                        Aggregation Layer

                   provider overlap analysis

                                 ▼

                          CSV Exports

                                 ▼

                    Fraud / SIEM / Analytics

```

---

## Published Files

| File                     | Description                                              |

| ------------------------ | -------------------------------------------------------- |

| `asn_multi_provider.csv` | ASNs where multiple VPN providers were observed          |

| `vpn-ip.csv`             | IPv4 `/24` ranges containing observed VPN infrastructure |

---

## ASN Multi-Provider Dataset

`asn_multi_provider.csv` identifies autonomous systems where infrastructure from multiple VPN providers has been observed.

### Columns

| Column      | Description                     |

| ----------- | ------------------------------- |

| `ASN`       | Autonomous System Number        |

| `Org`       | ASN organization name           |

| `IPs`       | Observed VPN IP count           |

| `Providers` | Distinct VPN providers observed |

| `Names`     | Comma-separated provider names  |

### Example

```csv id="jlwm19"

ASN,Org,IPs,Providers,Names

212238,CDNEXT,"5,263",22,"Astrill, CactusVPN, CyberGhost, ExpressVPN, Hide.me"

```

---

## VPN Range Dataset

`vpn-ip.csv` publishes IPv4 `/24` ranges containing observed VPN provider infrastructure.

The dataset is intentionally range-oriented to support lightweight enrichment, aggregation, and routing analysis workflows.

### Columns

| Column  | Description              |

| ------- | ------------------------ |

| `range` | IPv4 `/24` network range |

### Example

```csv id="jlwm20"

range

1.2.3.0/24

5.6.7.0/24

```

---

## Usage Examples

### Download ASN dataset

```bash id="jlwm21"

curl -fsSLO \

  https://raw.githubusercontent.com/ipanalytics/vpn-network-intelligence/main/asn_multi_provider.csv

```

### Download VPN ranges

```bash id="jlwm22"

curl -fsSLO \

  https://raw.githubusercontent.com/ipanalytics/vpn-network-intelligence/main/vpn-ip.csv

```

### Extract high-density VPN ASNs

```bash id="jlwm23"

awk -F, '$4 >= 10 { print }' asn_multi_provider.csv

```

### Search for a provider

```bash id="jlwm24"

grep -i "NordVPN" asn_multi_provider.csv

```

---

## Operational Use Cases

| Domain               | Example                            |

| -------------------- | ---------------------------------- |

| Fraud Detection      | VPN infrastructure risk scoring    |

| Abuse Prevention     | Shared-hosting VPN detection       |

| SIEM Enrichment      | ASN-level infrastructure context   |

| Network Intelligence | Provider overlap analysis          |

| Threat Hunting       | Infrastructure clustering          |

| Analytics            | VPN hosting concentration tracking |

---

## Design Goals

* lightweight machine-readable exports

* infrastructure-focused aggregation

* low operational overhead

* Git-native dataset publication

* reproducible CSV generation

* enrichment-oriented outputs

---

## Dataset Semantics

### ASN-Level Data

`asn_multi_provider.csv` indicates that multiple VPN providers were observed within the same ASN.

It does not imply:

* every IP in the ASN belongs to a VPN provider

* every provider uses every subnet in the ASN

* all traffic from the ASN should be blocked

The dataset is intended as infrastructure context.

---

### Range-Level Data

`vpn-ip.csv` indicates that at least one observed VPN provider IP existed within the published `/24`.

The ranges should be treated as probabilistic indicators suitable for:

* scoring

* enrichment

* review queues

* telemetry correlation

not as standalone enforcement decisions.

---

## Operational Notes

* VPN infrastructure changes frequently

* Providers rotate datacenter allocations over time

* Shared hosting environments are common

* Multiple providers may legitimately overlap within the same ASN

* Observed infrastructure does not inherently imply malicious activity

---

## Integration Targets

Common deployment scenarios include:

* SIEM enrichment

* ClickHouse pipelines

* Kafka stream enrichment

* fraud/risk scoring systems

* API gateway filtering

* proxy detection

* telemetry classification

---

## Repository Layout

```text id="jlwm25"

.

├── asn_multi_provider.csv

├── vpn-ip.csv

├── scripts/

├── docs/

├── LICENSE

└── README.md

```

---

## Roadmap

Planned additions:

* ASN historical deltas

* IPv6 support

* provider metadata normalization

* compressed bulk exports

* confidence weighting

* overlap trend analysis

---

## License

Licensed under CC0-1.0.

See [`LICENSE`](./LICENSE).

---

## Disclaimer

This repository publishes observational VPN infrastructure indicators for operational and analytical use. Consumers are responsible for validating suitability within their own environments.