Every HTTP request your application receives carries the sender's IP address. It's in the TCP header before your code even runs. And that single number reveals more than most developers realize -- not just geography, but ISP, connection type, proxy detection, and sometimes the specific organization behind the request. Understanding what an IP address tells you (and what it doesn't) is fundamental to building anything that involves rate limiting, fraud detection, geolocation, or access control.
The basics: what an IP address is
An IP address is a network layer identifier. IPv4 addresses are 32-bit numbers written as four octets: 192.168.1.1. IPv6 addresses are 128-bit numbers written in hexadecimal: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
Your public IP address is assigned by your ISP. It identifies the exit point of your network on the internet. If you're on home WiFi, every device in your house shares the same public IP through NAT (Network Address Translation). If you're on a corporate VPN, your traffic exits through the VPN server's IP.
The private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) are used inside local networks and are never visible on the public internet. If you're seeing these in your server logs, you're behind a load balancer or reverse proxy and need to read the X-Forwarded-For header instead.
Geolocation: accurate to the city, not the house
IP geolocation works because IP address blocks are allocated regionally. IANA distributes blocks to Regional Internet Registries (RIRs), which allocate them to ISPs, which assign them to subscribers. Each allocation is registered with geographic information.
Databases like MaxMind GeoIP2 and IP2Location map IP ranges to locations based on this registration data, supplemented by latency measurements and user-reported data.
The accuracy varies:
- Country: 99%+ accurate for most IPs
- Region/State: 80-90% accurate
- City: 50-80% accurate, depends heavily on the ISP and country
- Exact address: not possible from IP alone
Mobile IPs are the least accurate because cellular carriers use centralized gateways. A phone connected to a cell tower in Portland might have an IP that geolocates to Seattle because the carrier's gateway is there.
VPN users will geolocate to the VPN server's location, which is the point.
What IP lookup reveals beyond location
A good IP lookup returns more than coordinates:
ISP and organization. The WHOIS data for an IP block includes the organization that owns it. If requests are coming from Amazon Technologies Inc., you're seeing traffic from AWS -- possibly a bot, a Lambda function, or a user on an EC2 instance. If it's Google LLC, it might be Googlebot or a user on Google Cloud.
ASN (Autonomous System Number). Every ISP and major network operator has an ASN. Knowing the ASN lets you categorize traffic: residential ISP, cloud provider, university, government network, or known proxy service.
Connection type. Some databases distinguish between residential, commercial, mobile, and datacenter IPs. Datacenter IPs are commonly associated with bots and scrapers because humans rarely browse from cloud servers.
Proxy and VPN detection. Commercial IP databases flag IPs known to belong to VPN providers, Tor exit nodes, and open proxies. This isn't foolproof -- new VPN servers appear constantly -- but it catches the majority of proxied traffic.
Practical use cases in web development
Rate limiting by IP. The simplest rate limiting strategy. Limit each IP to N requests per minute. Works well for APIs but has caveats: users behind NAT or corporate proxies share an IP, so overly aggressive limits cause false positives. Mobile users frequently change IPs as they move between towers.
// Simple rate limiting with an in-memory store
const rateLimit = new Map();
const WINDOW = 60000; // 1 minute
const MAX = 100;
function checkRate(ip) {
const now = Date.now();
const record = rateLimit.get(ip) || { count: 0, start: now };
if (now - record.start > WINDOW) {
record.count = 1;
record.start = now;
} else {
record.count++;
}
rateLimit.set(ip, record);
return record.count <= MAX;
}
Geolocation-based content. Serving different content based on the user's country -- currency, language, legal disclaimers. The accuracy is good enough for country-level decisions. Don't use IP geolocation for anything that requires precision below the city level.
Fraud detection. If a user's billing address is in New York but their IP geolocates to Nigeria, that's a signal (though not proof) of fraud. If the IP is a known datacenter or proxy, that's another signal. Fraud systems combine multiple signals; IP data is one input among many.
Compliance and access control. Blocking or restricting access based on country for legal compliance (GDPR, sanctions, content licensing). IP-based geoblocking is imperfect because VPNs exist, but it satisfies the legal requirement to make a reasonable effort.
The X-Forwarded-For problem
If your application sits behind a reverse proxy (Nginx, CloudFlare, AWS ALB), the IP you see in the TCP connection is the proxy's IP, not the user's. The user's real IP is in the X-Forwarded-For header:
X-Forwarded-For: 203.0.113.50, 70.41.3.18, 150.172.238.178
The leftmost IP is supposedly the original client. But here's the problem: X-Forwarded-For can be spoofed. A malicious client can send their own X-Forwarded-For header, and each proxy in the chain appends to it. You need to trust only the IPs added by proxies you control.
The safe approach is to count from the right. If you know your infrastructure has exactly two proxies (say, CloudFlare and Nginx), the third IP from the right is the client's. Never trust the leftmost value unconditionally.
function getClientIp(req) {
const xff = req.headers['x-forwarded-for'];
if (!xff) return req.connection.remoteAddress;
const ips = xff.split(',').map(ip => ip.trim());
// Trust the IP added by your outermost known proxy
// Adjust the index based on your proxy count
return ips[ips.length - TRUSTED_PROXY_COUNT] || req.connection.remoteAddress;
}
IPv6 considerations
IPv6 adoption is growing. In many countries, over 50% of traffic is now IPv6. Your rate limiting and geolocation systems need to handle both.
With IPv6, individual devices can have unique global addresses (no NAT), which makes rate limiting per-IP more precise but also means a single user might cycle through many addresses (IPv6 privacy extensions rotate addresses periodically).
A common approach is to rate-limit on the /64 prefix for IPv6, which corresponds to a single subnet -- roughly equivalent to a single household or office.
For quickly looking up the geolocation, ISP, and ASN for any IP address, I built an IP lookup tool at zovo.one/free-tools/ip-lookup that returns the information you need for debugging and development.
IP addresses are one of the oldest identifiers on the internet, and despite their limitations, they remain one of the most useful. The key is understanding what they can and can't tell you, and never treating an IP-based signal as proof of anything. It's a data point, not a verdict.
I'm Michael Lip. I build free developer tools at zovo.one. 350+ tools, all private, all free.
Top comments (0)