A client messages you: "I'm seeing a bunch of failed login attempts from some IP address — should I be worried?" Or their firewall dashboard shows a spike in traffic from a country they don't do business in. This is the fast triage process for exactly that message — three tools, in sequence, each answering one specific question, so you can give the client an actual answer instead of a shrug.
Step 1: IP Lookup — where is this actually coming from?
Start with IP Lookup. Enter the IP and look at:
- Organization / ISP — a familiar cloud provider name (AWS, DigitalOcean, OVH) versus an unfamiliar or blank organization tells you something different about who's likely behind the connection.
- Country — is it somewhere the client would plausibly have real traffic from, or somewhere they have zero business relationship with?
On its own, this doesn't prove anything — plenty of legitimate traffic comes from cloud providers and unexpected countries. It's the first data point, not the verdict.
Step 2: ASN Lookup — what kind of network is this, really?
Next, run the same IP through ASN Lookup. This is where the real signal usually is, and it's worth understanding the distinction:
- Residential ISP ASN (a regional broadband provider, a mobile carrier) — a failed login from here is much more likely to be an actual person, possibly even the client themselves mistyping a password, than an automated attack.
- Hosting or cloud provider ASN (AWS, DigitalOcean, Hetzner, OVH, and similar) — real people don't typically browse to a login page from a datacenter. Repeated login attempts from a hosting-provider ASN is a meaningfully stronger signal of scripted or automated attack activity than the same pattern from a residential IP, precisely because legitimate human traffic doesn't normally originate there.
- VPN or proxy-associated ASN — doesn't automatically mean malicious on its own (plenty of real, privacy-conscious users route through VPNs), but combined with repeated failed logins, it raises the signal further rather than lowering it.
Step 3: Reverse DNS — does it match what it claims to be?
Finally, run it through Reverse DNS Lookup. This matters most when the traffic is claiming to be something specific — a log entry with a user-agent saying "Googlebot," for instance. Real Googlebot IPs have PTR records that resolve back to Google's own infrastructure; an IP claiming to be Googlebot with no matching reverse DNS (or one pointing somewhere unrelated) is a real red flag for spoofing.
A missing PTR record on its own isn't suspicious — plenty of legitimate IPs don't have one. But combined with the ASN and claimed-identity context from the steps above, it's one more data point feeding the same picture.
What to actually tell the client
Three free tools and a few minutes of triage is a reasonable first pass, not a forensic investigation — be honest about that scope when you report back:
- Give a plain-language assessment, not a technical dump. "This looks like automated scanning from a hosting provider, not a real customer — low risk right now, but worth blocking" tells the client something they can act on. A list of ASN numbers and PTR records doesn't.
- Scale your recommendation to the actual signal. A single failed login from a residential ISP probably just needs a "keep an eye on it." Repeated attempts from a hosting-provider ASN with no matching reverse DNS for its claimed identity is worth actually blocking at the firewall or CDN level.
- Say clearly when it's beyond a quick check. If there's any sign of an actual successful login rather than just attempts, or if the pattern is genuinely large-scale, say so plainly rather than downplaying it because the client would prefer good news.
Bookmark this page — it's built to be the reference you pull up any time a client hands you a suspicious IP and wants a fast, real answer.