Skip to main content
Methodology

VPN, Datacenter and Tor Traffic Detection Methodology

Traffic from a VPN, datacenter or Tor is not automatically bad — but it is an important signal to monitor when assessing traffic quality.

TL;DR

ClickSentinel determines whether an IP belongs to a VPN, datacenter hosting range or Tor exit node, based on ASN/hosting-provider data. This is one of several inputs to the Traffic Quality Score — it is not used to auto-block, but to help you decide which traffic deserves a closer look.

Why this signal matters

Most real users access the internet through a residential ISP (fixed-line or mobile carrier). Traffic from datacenter IP ranges (AWS, GCP, Azure, hosting providers) is more often tied to servers, scripts or automation tools than a typical user's browser. When a large volume of clicks arrives from these ranges, that is a signal worth investigating further — especially for paid traffic.

Signal categories

  • ASN / hosting provider of the IP.
  • IP ranges known to be datacenters (AWS, GCP, Azure, DigitalOcean, OVH, etc.).
  • VPN/proxy indicators from IP intelligence data.
  • Tor exit node indicators from public exit node lists.
  • Cross-checking IP geolocation against other available context — supplementary reference only.

How ClickSentinel uses these signals

VPN/datacenter/Tor signals are added to the Traffic Quality Score alongside duplicate detection, velocity patterns and cross-site IP reputation. A single VPN click with no other negative signal usually only receives a small deduction. A datacenter click combined with an abnormal velocity pattern, on the other hand, is penalized much more heavily.

What should not be automated

  • Don't auto-block all VPN traffic — many real users rely on a VPN for security, remote work or a company policy.
  • Don't treat every datacenter IP as a bot — some legitimate monitoring services or enterprise proxies also run on datacenter infrastructure.
  • Set thresholds and combine them with manual review rather than applying hard rules.
  • Whitelist known internal, partner or monitoring-service IPs before enabling any filtering mechanism.

For paid traffic from Google Ads, VPN/datacenter/Tor detection can be one input you consider when exporting an IP exclusion list in your ad account. The final decision — and any invalid-click dispute or refund request — should still be based on Google Ads' own policy and official tools.

Frequently asked questions

Is VPN traffic always a bad sign?
No. VPN is just one risk signal among many; most VPN traffic is still real users.
How do you know an IP belongs to a datacenter?
ClickSentinel cross-references the IP's ASN and range against known hosting-provider data (AWS, GCP, Azure, etc.).
Is Tor traffic automatically blocked?
No. ClickSentinel only flags it and deducts points; blocking is your decision via a blocklist export or your own server configuration.
Can I whitelist an office IP that uses a company VPN?
Yes, a per-site whitelist excludes confirmed legitimate IPs from every scoring signal.
Is VPN/datacenter data updated regularly?
Yes. IP intelligence data is cached and refreshed periodically (24-hour TTL) to reflect changes in providers' infrastructure.

Check your traffic quality for free

Want to see your own website's traffic quality score? Get started for free — no credit card required.