As promised in the previous blog post, I added new data sources to find more malicious IPs. I also added a new endpoint to the malicious IPs API:

To make an API call on this endpoint, simply call /bots/ips/ip-you-want-to-check where you should replace ip-you-want-to-check with the IP address you want to check.

You can call it using Curl or any HTTP request library you want:


Data returned by the API

For a given IP, an API call returns JSON content representing information about the IP requested.

  "matched": true,
  "ip": "",
  "autonomousSystemOrganization": "SpaceNet LLC",
  "autonomousSystemNumber": 44686,
  "country": "UA",
  "events": [

In case the IP address is present in the database, the matched field is set to true. Otherwise, it’s set to false. In all cases (even when the IP is not present in our database), we always return information about the IP:

  • ip: value of the requested IP,
  • autonomousSystemOrganization: name of the IP autonomous system (enriched using Maxmind)
  • autonomousSystemNumber: autonomous system number linked to the IP (enriched using Maxmind)
  • country: country of the IP address (enriched using Maxmind)
  • events: an array that contains a list of timestamps where the IP was flagged as malicious. In case the IP is not present in our database, it is an empty array

DISCLAIMER: Please try to be responsible when making API calls, rate limit your requests.

Antoine Vastel

Head of research at Datadome.