Frequently asked questions

• How IPPure Risk Score is Calculated
• What is Cloudflare Risk Score and Why It Varies
• What is WebRTC Leak and How to Prevent It
  • Why WebRTC Leak Happens
• What is Browser Fingerprinting and How to Prevent Tracking
  • Common Fingerprint Attributes
• What is JA3/JA4 Fingerprinting
  • JA3 Components
• What are Native IP and Broadcast IP
• What are Data Center IP and Residential IP
  • Residential IP
  • Data Center IP
  • Core Differences
  • Practical Impact

How IPPure Risk Score is Calculated

• IPPure data comes from Internet risk databases and honeypot statistics.
• IPs with monitoring records form the basis for risk control; popular IP ranges have denser records.
• An IP's risk score decays over time based on risk control records.
• Complete monitoring of all IPv4 addresses is impossible. If an IP has no records, its risk is inferred from its IP range and related information.
• IPv6 addresses are not scored due to the vast network space and limited data sources.

What is Cloudflare Risk Score and Why It Varies

• Cloudflare Enterprise provides a risk score representing the likelihood of traffic being bot traffic, called Bot Scores.
• Only available in the Enterprise plan; Free, Pro, and Business plans do not support it.
• Original Bot Score ranges from 1 to 99; higher means safer (closer to human traffic).
• To align with IPPure risk scoring (higher = riskier):
  Cloudflare Risk Score = 100 - Cloudflare Bot Score
• Indicates whether traffic may be automated; higher scores appear during DDoS or other network threats.
• Unlike IPPure (which measures general abuse: proxies, spam, bots, fraud), Cloudflare score focuses on network security.
• Public proxies often receive low risk scores because they might be legitimate human users.
• This parameter is mainly useful for DDoS defense, less for IP quality detection.
• Cloudflare does not provide a public API for arbitrary IPs; only the current visiting IP can be queried.

What is WebRTC Leak and How to Prevent It

WebRTC (Web Real-Time Communication) enables browsers to perform real-time audio/video and peer-to-peer data.
WebRTC Leak occurs when the ICE candidate exchange exposes local or public IPs even when using a VPN/proxy, compromising anonymity.

Why WebRTC Leak Happens

1. During P2P connections, browsers collect ICE candidates via STUN/TURN servers:
   • host (local LAN IP)
   • srflx (public IP via STUN)
   • relay (via TURN relay)
2. If host or srflx is exposed, third parties can see real LAN or public IPs.
3. VPNs usually affect HTTP(S) traffic, but WebRTC STUN requests can bypass them.

Prevention:

• Chrome: install either WebRTC Network Limiter or WebRTC Leak Prevent
• Firefox: set media.peerconnection.enabled to false in about:config to fully disable WebRTC.

What is Browser Fingerprinting and How to Prevent Tracking

Browser fingerprinting collects various device/browser attributes (browser version, OS, screen resolution, installed fonts, timezone, plugins, Canvas/WebGL output, etc.) to create an almost unique identifier for tracking without cookies.

Common Fingerprint Attributes

• User-Agent
• Screen resolution / color depth
• Timezone, language/locale
• Installed fonts & rendering differences
• Plugins / MIME types
• Canvas / WebGL rendering
• Text/Font measurement
• Audio context fingerprint
• Hardware concurrency / CPU cores
• Storage support, Do Not Track, cookies
• WebRTC local IP (may leak)

Characteristics:

• Fingerprints persist across cookies/private mode.
• Used for cross-site tracking, ad targeting, fraud detection.
• Hard to fully prevent; many attributes leak passively.

What is JA3/JA4 Fingerprinting

JA3 identifies TLS client implementations by hashing the Client Hello fields during TLS handshake, creating a unique client fingerprint.
Different browsers, apps, or malware produce distinct TLS parameter combinations.

JA3 Components

1. SSL Version
2. Cipher Suites
3. Extensions
4. Elliptic Curves
5. Elliptic Curve Formats

Concatenated and hashed via MD5 to generate the JA3 fingerprint.

JA4 (2023, Fox-IT/Salesforce) improves JA3:

• Less sensitive to field order changes
• Focused on TLS client (Client Hello)
• Better distinguishes minor implementation variations

What are Native IP and Broadcast IP

• Native IP: Registered IP matches server's country (real local resource)
• Non-native / Announced IP: IP advertised from a different region via BGP

Native vs non-native impacts IP quality, important for proxies, VPS, cross-border e-commerce, ads, crawlers.

What are Data Center IP and Residential IP

Residential IP

Public IPs assigned to home users by ISPs

Characteristics:

• Home/individual broadband users
• ASN typically ISP
• Connected via modem/router
• Natural user behavior

Pros: trusted, low risk, geolocation accurate
Cons: expensive, less stable, limited bandwidth

Data Center IP

IPs assigned to data centers, cloud providers, or hosting facilities

Characteristics:

• IDC/cloud ASN
• High bandwidth
• Used for servers, proxies, VPNs, CDN

Pros: fast, stable, low cost
Cons: easily detected as proxy/VPN, strict risk control, blacklisted

Core Differences

Feature	Residential IP	Data Center IP
Source	Home ISP	Cloud / IDC
ASN Type	ISP	Data Center
Geolocation Accuracy	High	Medium
Trust Level	✅ High	⚠️ Low
Blacklist Risk	Low	High
Price	Expensive	Cheap
Bandwidth/Stability	Moderate	High
Use Cases	Ads, social, risk control	Crawlers, proxy pools, websites
Detection Difficulty	Hard	Easy
Acquisition	P2P proxy, ISP allocation	Cloud, VPN, providers

Practical Impact

Scenario	Residential IP	Data Center IP
E-commerce / Ads	✅ Natural & safe	❌ Risk of ban
Cross-border login	✅ Human-like	⚠️ Detected as proxy
Crawling	⚠️ Expensive	✅ Fast
Streaming unlock	✅ Stable	❌ Often blocked
API requests	⚠️ Moderate stability	✅ Fast & reliable
Social platforms	✅ High pass rate	❌ More verification, ban risk