Ben Dowling is the Founder and CEO of IPinfo – an industry-leading IP address data service. He launched IPinfo in 2013 as a side hustle while working at Facebook and then as the CTO of Calm, the billion-dollar-valued meditation app. Since then, he's also founded Host.io, a powerful and fast domain name data API. Ben holds a Master of Engineering degree from the University of Southhampton.
This year, the VPN industry alone is expected to grow beyond $31 billion. And among the 4.33 billion active Internet users around the world, over 31 percent have used a VPN.
As popular as VPNs are, they only represent a small percentage of IP masking methods. Others include proxies, tor, relay usage, or a connection via a hosting provider, which can potentially be used to tunnel traffic.
And while some masked IPs are simply trying to protect their online personal information, many others hide their identity for malicious purposes such as exploiting server vulnerabilities, executing MITM attacks, stealing sensitive data, and more.
A recent study by IPinfo identified some interesting trends among masked IP addresses. Among these findings are some important takeaways for high-risk IP ranges, allowlisting/denylisting IPs, preventing IP spoofing, and ultimately securing cloud infrastructure by reducing your attack surface.
Here are the important metrics we’ll consider, from which we’ll draw applications for infrastructure security.
IPv4 versus IPv6 usage among masked identities
Comparison of most common IP masking methods
Deep dive into the most-widely-used VPN services
IPv4 versus IPv6 Usage Among Masked Identities
The team at IPinfo tracked IP masking on IPv4 and IPv6 addresses separately by running two separate queries in the database. For IPv4:
select SUM(func.f_rough_range_size(`range`)) from ipinfo.privacy where func.f_ip_family(`range`) = 4;
We then ran a similar query on all IPv6 addresses.
Of IPv4 addresses, around 308,824,804 users hide their identities. Approximately 1.1239648737961904 x 10-33 IPv6 addresses mask their IP address.
As you may have expected, the difference in these numbers is due largely to the massive pool of IPv6 addresses available. But as IPv6 adoption continues to grow, we expect to see even more masked IPs using IPv6. Here’s how IPv6 has grown over the past few years.
IPv6 adoption among Google users (courtesy of Kinsta.com)
Percentage-wise, 0.000330304% of all IPv6 addresses hide their identity, and approximately 7.190387789% of all IPv4 addresses hide their identity.
Comparison of IPv4 and IPv6 masked identities
It’s important to remember that IPv6 addresses have some added layers of security. Built into IPv6 are IPSec - IETF security protocols that promote authentication, security, and data integrity. While IPSec can be added to sites, servers, and routers using IPv4 addresses, the implementation is more expensive and therefore not widely used.
That being said, IPv4 addresses have a higher risk from malicious bots and spammers. But IPv6 security protocols don’t necessarily insulate these IPs from masked identities either.
When it comes to cloud penetration testing, identifying and tracking IPs is a very important component.
Comparison of Most Common IP Masking Methods
Among the many methods that exist for masking IPs, we found that the most common is hosting services - over 95 percent in fact. VPNs come in second place with around 5.24 percent.
Hosting providers often help bots and spammers hide their IPs. Plus, VPNs can also be operated through hosting services. This contributes to the large number of masked IPs attributed to hosting providers.
Another interesting stat is that Apple Private Relay (APR) is currently the third most popular method for masking IPs. While it only consumes 0.12 percent of all anonymous IPs, its ranking has significantly grown since APR's release in 2021.
APR traffic growth is also important because it’s geo-aware. Users can’t tunnel their IP to a different location using APR. While APR protects personal identifiers such as IP addresses, it still provides accurate, generalized location data. Ultimately this led to IPinfo working with Apple to create a geo-aware feature within our Privacy Detection dataset.
Deep Dive into the Most Common VPN Services
All of these other metrics led our team to wonder what VPNs are used the most. We found that VPN Gate outranks all other services. There are several probable reasons for this ranking. Most importantly, VPN Gate is free, and it’s open-source.
For VPN users these seem like upsides, but on the penetration testing side, VPN Gate’s free, open-source infrastructure may be vulnerable to MITM attacks due to misuse of the SSL certificate. Because VPN Gate lacks SSL certificate verification at the client site, a MITM attacker can hijack an IP by modifying the IP destination address and then implementing a TLS MITM attack.
Needless to say, this introduces vulnerabilities to both the VPN user and the sites, servers, and other infrastructure they access, leading to information theft, data breaches, compromised infrastructure security, and more.
For instance in 2013, Apple’s Fairplay - a digital rights management system - was attacked by a MITM attack, leading to pirated distribution of proprietary content. Since then, Fairplay MITM attacks have been used by other malicious entities to steal Apple IDs and passwords.
How AceDeceiver exploits Fairplay vulnerabilities (Source: Infosec)
What You Should Know About Geo-aware Services
As was mentioned in the previous section, APR is gaining traction among VPNs. Currently, it ranks fourth in our IP count below NordVPN and PureVPN.
Service
Number of IPs
VPN Gate
3021604
NordVPN
127121
PureVPN
112520
Apple Private Relay
90839
Separating APR traffic from other VPN users can be useful. APR users differ from VPNs because they seem to be more concerned about protecting their personal information than hiding their general location.
For instance, here’s a comparison of responses from IPinfo’s Privacy Detection database. The first is a typical response for IPs that aren’t masked by VPNs, tor usage, or hosting providers.
Shown below is what a typical Privacy Detection response reveals about masked IPs:
And finally, here’s what Privacy Detection queries show for APR users.
In contrast to the masked identity example, the APR response shows that this IP is located near Seattle, Washington. APR data, even though it’s masked, still contains useful information for penetration testing.
The fact that APR is one of the most-used privacy services means that there’s more threat intelligence to be gained from this somewhat anonymous data. As more geo-aware services come onto the market, IPinfo is ready to implement them into our Privacy Detection datasets.
For industries with high stakes - such as Fintech, Cybersecurity, Healthcare, and others - security issues from VPNs can introduce additional vulnerabilities. Privacy Detection data is one tool that can help digital rights management and digital infrastructure security develop mature application security programs, reduce attack surfaces, secure your networks, and more.
Try IPinfo’s Privacy Detection data for free. Sign up for a weeklong free trial of all our APIs.
NetSPI leverages IPInfo’s geolocation data set to identify new and changing IP addresses in our Attack Surface Management platform. Learn more about the platform capabilities: https://www.netspi.com/attack-surface-management/asm/.
[post_title] => Important Trends Among Masked Identities
[post_excerpt] => Explore important trends among masked IP addresses such as IPv4 vs IPv6, common IP masking methods, and the most used VPN services.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => important-trends-among-masked-identities
[to_ping] =>
[pinged] =>
[post_modified] => 2023-05-23 08:59:41
[post_modified_gmt] => 2023-05-23 13:59:41
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=27903
[menu_order] => 196
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 1
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 27903
[post_author] => 123
[post_date] => 2022-06-14 08:00:00
[post_date_gmt] => 2022-06-14 13:00:00
[post_content] =>
This year, the VPN industry alone is expected to grow beyond $31 billion. And among the 4.33 billion active Internet users around the world, over 31 percent have used a VPN.
As popular as VPNs are, they only represent a small percentage of IP masking methods. Others include proxies, tor, relay usage, or a connection via a hosting provider, which can potentially be used to tunnel traffic.
And while some masked IPs are simply trying to protect their online personal information, many others hide their identity for malicious purposes such as exploiting server vulnerabilities, executing MITM attacks, stealing sensitive data, and more.
A recent study by IPinfo identified some interesting trends among masked IP addresses. Among these findings are some important takeaways for high-risk IP ranges, allowlisting/denylisting IPs, preventing IP spoofing, and ultimately securing cloud infrastructure by reducing your attack surface.
Here are the important metrics we’ll consider, from which we’ll draw applications for infrastructure security.
IPv4 versus IPv6 usage among masked identities
Comparison of most common IP masking methods
Deep dive into the most-widely-used VPN services
IPv4 versus IPv6 Usage Among Masked Identities
The team at IPinfo tracked IP masking on IPv4 and IPv6 addresses separately by running two separate queries in the database. For IPv4:
select SUM(func.f_rough_range_size(`range`)) from ipinfo.privacy where func.f_ip_family(`range`) = 4;
We then ran a similar query on all IPv6 addresses.
Of IPv4 addresses, around 308,824,804 users hide their identities. Approximately 1.1239648737961904 x 10-33 IPv6 addresses mask their IP address.
As you may have expected, the difference in these numbers is due largely to the massive pool of IPv6 addresses available. But as IPv6 adoption continues to grow, we expect to see even more masked IPs using IPv6. Here’s how IPv6 has grown over the past few years.
IPv6 adoption among Google users (courtesy of Kinsta.com)
Percentage-wise, 0.000330304% of all IPv6 addresses hide their identity, and approximately 7.190387789% of all IPv4 addresses hide their identity.
Comparison of IPv4 and IPv6 masked identities
It’s important to remember that IPv6 addresses have some added layers of security. Built into IPv6 are IPSec - IETF security protocols that promote authentication, security, and data integrity. While IPSec can be added to sites, servers, and routers using IPv4 addresses, the implementation is more expensive and therefore not widely used.
That being said, IPv4 addresses have a higher risk from malicious bots and spammers. But IPv6 security protocols don’t necessarily insulate these IPs from masked identities either.
When it comes to cloud penetration testing, identifying and tracking IPs is a very important component.
Comparison of Most Common IP Masking Methods
Among the many methods that exist for masking IPs, we found that the most common is hosting services - over 95 percent in fact. VPNs come in second place with around 5.24 percent.
Hosting providers often help bots and spammers hide their IPs. Plus, VPNs can also be operated through hosting services. This contributes to the large number of masked IPs attributed to hosting providers.
Another interesting stat is that Apple Private Relay (APR) is currently the third most popular method for masking IPs. While it only consumes 0.12 percent of all anonymous IPs, its ranking has significantly grown since APR's release in 2021.
APR traffic growth is also important because it’s geo-aware. Users can’t tunnel their IP to a different location using APR. While APR protects personal identifiers such as IP addresses, it still provides accurate, generalized location data. Ultimately this led to IPinfo working with Apple to create a geo-aware feature within our Privacy Detection dataset.
Deep Dive into the Most Common VPN Services
All of these other metrics led our team to wonder what VPNs are used the most. We found that VPN Gate outranks all other services. There are several probable reasons for this ranking. Most importantly, VPN Gate is free, and it’s open-source.
For VPN users these seem like upsides, but on the penetration testing side, VPN Gate’s free, open-source infrastructure may be vulnerable to MITM attacks due to misuse of the SSL certificate. Because VPN Gate lacks SSL certificate verification at the client site, a MITM attacker can hijack an IP by modifying the IP destination address and then implementing a TLS MITM attack.
Needless to say, this introduces vulnerabilities to both the VPN user and the sites, servers, and other infrastructure they access, leading to information theft, data breaches, compromised infrastructure security, and more.
For instance in 2013, Apple’s Fairplay - a digital rights management system - was attacked by a MITM attack, leading to pirated distribution of proprietary content. Since then, Fairplay MITM attacks have been used by other malicious entities to steal Apple IDs and passwords.
How AceDeceiver exploits Fairplay vulnerabilities (Source: Infosec)
What You Should Know About Geo-aware Services
As was mentioned in the previous section, APR is gaining traction among VPNs. Currently, it ranks fourth in our IP count below NordVPN and PureVPN.
Service
Number of IPs
VPN Gate
3021604
NordVPN
127121
PureVPN
112520
Apple Private Relay
90839
Separating APR traffic from other VPN users can be useful. APR users differ from VPNs because they seem to be more concerned about protecting their personal information than hiding their general location.
For instance, here’s a comparison of responses from IPinfo’s Privacy Detection database. The first is a typical response for IPs that aren’t masked by VPNs, tor usage, or hosting providers.
Shown below is what a typical Privacy Detection response reveals about masked IPs:
And finally, here’s what Privacy Detection queries show for APR users.
In contrast to the masked identity example, the APR response shows that this IP is located near Seattle, Washington. APR data, even though it’s masked, still contains useful information for penetration testing.
The fact that APR is one of the most-used privacy services means that there’s more threat intelligence to be gained from this somewhat anonymous data. As more geo-aware services come onto the market, IPinfo is ready to implement them into our Privacy Detection datasets.
For industries with high stakes - such as Fintech, Cybersecurity, Healthcare, and others - security issues from VPNs can introduce additional vulnerabilities. Privacy Detection data is one tool that can help digital rights management and digital infrastructure security develop mature application security programs, reduce attack surfaces, secure your networks, and more.
Try IPinfo’s Privacy Detection data for free. Sign up for a weeklong free trial of all our APIs.
NetSPI leverages IPInfo’s geolocation data set to identify new and changing IP addresses in our Attack Surface Management platform. Learn more about the platform capabilities: https://www.netspi.com/attack-surface-management/asm/.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.
