HOME

RETURN TO THE HOME PAGE
/// RETURN HOME ///
IP Addresses in Data Centres: Distinguishing VPN Use from Actionable Attribution

IP Addresses in Data Centres: Distinguishing VPN Use from Actionable Attribution

DATE CREATED: 2026-01-16 READ TIME: 5 min read

Correct attribution begins by understanding what an IP address can represent and, just as importantly, what it cannot.

1. The Attribution Fallacy

The most common failure in modern tradecraft occurs at the first assumption.

When an investigator observes an IP address registered to a cloud provider such as DigitalOcean, AWS, or M247, the most common conclusion is: “The suspect is using a VPN.”

This conclusion is often wrong.

An IP address residing in a data centre can represent any of the following distinct infrastructure types:

  • Commercial VPN Exit: Shared by thousands of users simultaneously.
  • Tor Exit Node: A public, volunteer run anonymity relay.
  • Rotating Proxy: Often a compromised or misused residential device rented out to botnets.
  • Single Tenant VPS: A virtual server under full, exclusive control of the actor.
  • Downstream Provider: Leasing and reselling infrastructure from a major host.

All of these look identical in a WHOIS record as data centre or hosting infrastructure. Forensically, however, they are worlds apart. A VPN offers anonymity through obscurity; a VPS offers attribution through financial records.

2. Understanding the Routing Models

To the investigator, it is critical to understand not just what an IP address is labelled as, but how it functions within the network architecture. These services rely on fundamentally different routing models.

Commercial VPNs

A commercial VPN is effectively a rented, encrypted tunnel. When active, the VPN software creates a virtual connection on the user’s device. This captures the network traffic leaving that device and encapsulates it inside an encrypted stream.

This traffic travels to the VPN provider’s server before exiting to the public internet. Because the traffic is aggregated at the provider’s server, it mixes with thousands of other users to obscure the origin. The destination website sees the VPN server’s IP address, not the user’s device.

Proxies

While often confused with VPNs, proxies function differently. A proxy acts as a simple middleman or relay for a specific connection. Unlike a VPN, which typically tunnels the entire device’s connection, a proxy is usually configured at the application level.

For example, a user might configure only their web browser to route traffic through a proxy server. The browser sends its requests to the proxy, which forwards them to the destination. The rest of the device’s traffic remains untouched. Proxies effectively mask the IP address for a specific task but often lack the encryption and encapsulation provided by VPN protocols.

Tor

Tor operates on a principle of decentralised trust. Instead of a single tunnel or relay, traffic is bounced through three random nodes known as the Entry, Relay, and Exit nodes, operated by volunteers around the world.

The Exit Node is the final hop where traffic decrypts and enters the public internet. Because the purpose of Tor is to separate the user’s identity from their destination, the IP address visible to investigators belongs to the volunteer running the Exit Node, who has no knowledge of the traffic’s origin. This infrastructure is public by design.

Virtual Private Servers

Unlike the examples above, a Virtual Private Server is not an anonymity network. It is raw infrastructure: a complete, standalone server environment. However, the ownership structure of a VPS dictates the investigative approach.

  • Direct Customer: The suspect rents the server directly from a major provider such as DigitalOcean, AWS, or Hetzner. The WHOIS record points to the provider, and legal process served to that provider may yield the suspect’s billing details.
  • Downstream or Reseller Customer: The suspect rents from a smaller hosting company. That company bulk rents infrastructure from a major provider and resells it.

Common investigative failure:
If an investigator serves legal process to the major provider identified in WHOIS for a downstream customer, the response will only identify the reseller, not the end user. This creates a “Russian doll” scenario. Investigators should attempt to identify whether an IP address belongs to downstream infrastructure before serving legal process, ensuring that orders are directed to the entity that actually holds the end user data.

3. The ASN Environment

To understand where traffic is coming from, investigators must look beyond the individual IP address and identify the territory it belongs to. This is the Autonomous System Number (ASN).

An ASN represents a collection of IP networks managed by a single organisation such as an internet service provider, a university, a government body, or a technology company, all sharing a common routing policy.

When traffic moves across the internet, it does not travel from IP address to IP address; it travels from ASN to ASN using the Border Gateway Protocol. Identifying the ASN provides the first major clue about the nature of the infrastructure.

The Landlord vs Tenant Distinction

The ASN identifies the landlord of the IP space, not the tenant.

  • Residential ASN: Owned by an ISP such as BT or Virgin Media. Traffic from these networks is likely a home user, or a proxy operating on a compromised residential device.
  • Hosting ASN: Owned by a cloud or hosting provider such as DigitalOcean, M247, or Leaseweb. Traffic from these networks is server based and may represent VPNs, VPS infrastructure, or corporate gateways.

An ASN owned by a known bulletproof hosting provider suggests a very different risk profile than an ASN owned by a university in the UK. However, investigators must avoid assuming that because an ASN hosts criminal infrastructure, all traffic originating from it is criminal.

Major cloud providers host Fortune 500 companies and malicious attack servers side by side. ASN reputation provides context, not proof.

4. Context Intelligence

Relying solely on WHOIS information frequently leads to investigative dead ends, particularly when large volumes of IP addresses resolve to data centre infrastructure. In high volume investigations, manually issuing enquiries against each address is neither practical nor proportionate.

Modern investigations therefore rely on infrastructure context to triage leads before legal process is considered. Rather than asking who owns an IP address, the more relevant question becomes how that IP address behaves within the wider network.

Infrastructure profiling platforms analyse global traffic patterns, routing behaviour, and historical usage to classify IP addresses by function rather than registration. This allows investigators to rapidly distinguish between shared anonymity services and single tenant infrastructure capable of holding evidential records.

Services such as Spur.us illustrate this form of infrastructure context by aggregating large scale network telemetry to assess whether an IP address is likely to represent:

  • A known VPN exit node, typically a low value investigative lead
  • A residential proxy, often indicating a compromised victim device
  • A data centre IP behaving as a single user, suggesting a virtual private server

Using this contextual intelligence allows investigators to filter out high volumes of noise and focus on infrastructure where preservation orders and provider enquiries are proportionate and likely to yield results.

TOOL ACCESS:
For a deeper breakdown of infrastructure profiling techniques and an overview of freely accessible tools, refer to the Infrastructure and Network section of our tools page.

5. Defensible Conclusions

One of the most common errors in reporting is the conflation of observation with inference.

A statement such as “The suspect used a VPN” is an inference. It presumes knowledge of the software installed on the suspect’s device, something that cannot be proven by observing external network traffic alone. If that inference is challenged in court and the defence demonstrates that the suspect was using a proxy or corporate gateway instead, the investigator’s technical credibility is undermined.

Investigators must default to describing infrastructure capabilities rather than user configurations.

  • Weak Statement: “The suspect connected via NordVPN.”
  • Defensible Statement: “Traffic was observed exiting via infrastructure attributed to a known commercial anonymity provider.”

This distinction protects the integrity of the investigation. It accurately reflects what the data proves, the exit point, while respecting the limits of what remains unknown, the entry point. By maintaining this discipline, investigators ensure their conclusions remain robust, accurate, and resilient under cross examination.

Just because an IP address resolves to a data centre does not mean an investigation ends. Those who profile the infrastructure can see what is hidden within the Digital Shadow.