It is 7:14 AM and a SOC analyst opens her SIEM dashboard to find 487 flagged IP addresses from overnight alerts. Failed SSH logins, port scans against the DMZ, and a handful of outbound connections to IPs nobody recognizes. The ticket queue says "investigate source IPs" and the clock says the morning standup is in 46 minutes.

She is not going to paste 487 addresses into a lookup tool one at a time.

This is the scenario that makes bulk IP lookup tools essential. Whether you are a security analyst triaging alerts, a fraud team reviewing transaction logs, or a sysadmin trying to understand who has been hammering your web server, the need to geolocate many IP addresses at once comes up constantly. And the gap between "I have a list of IPs" and "I know where these IPs are from, who operates them, and what kind of connections they use" is exactly what bulk IP geolocation fills.

This guide covers the practical methods for looking up IP addresses in bulk: web-based upload tools, API-driven automation, and the workflows that connect raw IP lists to actionable intelligence.

Why Single IP Lookups Don't Scale

A single IP lookup on InfoSniper takes about 10 seconds of your time: paste the address, read the result. That is fine when you are investigating one suspicious login or checking where a particular visitor came from. It breaks down fast when the numbers go up.

The math is straightforward. If each manual lookup takes 30 seconds (navigate, paste, wait, read, copy data, move to next), 500 IPs consume over four hours of focused analyst time. And that is just the lookup itself, not the analysis of the results. According to a SANS SOC Survey, the average security operations center processes approximately 11,000 alerts per day, and 40% go uninvestigated because analysts simply run out of time. IP enrichment, where you add geographic and network context to raw addresses, is one of the most repetitive parts of that workflow.

Bulk lookup eliminates the mechanical part. Instead of 500 individual actions, you have one: upload the list, get structured results for every address. The time savings are not incremental. They are the difference between finishing an investigation and not starting it.

How Bulk IP Lookup Works

Regardless of the specific tool, bulk IP geolocation follows the same general pattern: you provide a list of IP addresses, the tool queries a geolocation database for each one, and you receive structured results back.

There are two primary approaches, and most teams end up using both depending on the situation:

• Web-based bulk upload — you paste a list of IPs or upload a CSV file through a browser interface. The tool processes them and displays results in a table you can review, sort, and export. This is ideal for one-off investigations: a morning's worth of firewall alerts, a batch of suspicious login IPs, a list extracted from log files.
• API-based automation — you write a script that sends IP addresses to a JSON or XML API endpoint and collects the structured responses. This is for recurring workflows: enriching SIEM data automatically, adding geolocation to transaction logs in a fraud pipeline, or building a scheduled job that processes yesterday's access logs every morning.

Both methods query the same underlying geolocation databases and return the same data fields. The difference is the interface: human-driven (browser) versus machine-driven (API).

Using InfoSniper's Bulk IP Upload Tool

The Bulk IP Upload tool on InfoSniper is designed for the most common bulk lookup scenario: you have a list of IP addresses and you want geolocation data for all of them, right now, without writing code.

Step-by-step walkthrough

1. Go to infosniper.net/bulk-upload/ — the tool accepts both pasted text and CSV file uploads.
2. Prepare your IP list — one IP address per line. The tool handles both IPv4 and IPv6. You can paste directly from a log file, spreadsheet, or SIEM export. The tool also accepts CSV files where IPs appear in a column.
3. Submit the batch — the tool validates every entry, removes duplicates and private/reserved ranges (like 10.x.x.x and 192.168.x.x), then processes the remaining valid public IPs against the geolocation database.
4. Review results — each IP returns a row with country, city, ISP, coordinates, AS number, and connection type. You can sort by any column to quickly spot patterns: which country appears most? Which ISP? Are multiple IPs on the same autonomous system?
5. Export — download the results as CSV for further analysis in Excel, Google Sheets, or a database.

# Paste one IP per line (comments and blank lines are ignored)
203.0.113.42
198.51.100.7
2001:0db8:85a3::8a2e:0370:7334
45.33.32.156
104.16.132.229
185.199.108.153
8.8.8.8
1.1.1.1

When to use the bulk upload tool versus the API

The bulk upload tool handles up to 100 IPs per batch and is the right choice when you need answers quickly without building anything. Pull the IPs from a log, paste them in, get results. If you routinely need to process more than 100 IPs at a time, or you want the process to happen automatically as part of a larger system, the API is the better path.

API-Based Bulk Lookups for Automation

When you need to process hundreds or thousands of IP addresses regularly, or integrate geolocation into an existing pipeline, the InfoSniper API is the tool to use. It provides JSON and XML endpoints that return structured geolocation data for any IP address.

JSON API basics

The JSON endpoint accepts GET or POST requests with two parameters: your API key and the IP address to look up.

curl "https://www.infosniper.net/json.php?k=YOUR_API_KEY&ip_address=203.0.113.42"

{
  "result": {
    "ipaddress": "203.0.113.42",
    "hostname": "host-203-0-113-42.example.net",
    "provider": "Example Telecom",
    "country": "Australia",
    "countrycode": "AU",
    "countryflag": "https://www.infosniperpro.com/country_flags/au.gif",
    "state": "NSW",
    "city": "Sydney",
    "areacode": "n/a",
    "postalcode": "2000",
    "dmacode": "+61",
    "timezone": "Australia/Sydney",
    "gmtoffset": "+11:00",
    "continent": "Oceania",
    "latitude": -33.8688,
    "longitude": 151.2093,
    "asnumber": 1221,
    "asorganization": "Telstra Corporation Ltd",
    "connectiontype": "isp",
    "queries": 4850,
    "accuracy": 0
  }
}

Scripting bulk lookups

To process a list of IPs, you loop through your file and call the API for each address. Here are working examples in the most common languages used for this task.

#!/bin/bash
API_KEY="YOUR_API_KEY"
INPUT_FILE="suspicious_ips.txt"
OUTPUT_FILE="results.json"

echo "[" > "$OUTPUT_FILE"
first=true

while IFS= read -r ip; do
  # Skip empty lines and comments
  [[ -z "$ip" || "$ip" == \#* ]] && continue

  # Rate-friendly delay
  sleep 0.2

  result=$(curl -s "https://www.infosniper.net/json.php?k=${API_KEY}&ip_address=${ip}")

  if [ "$first" = true ]; then
    first=false
  else
    echo "," >> "$OUTPUT_FILE"
  fi
  echo "$result" >> "$OUTPUT_FILE"

done < "$INPUT_FILE"

echo "]" >> "$OUTPUT_FILE"
echo "Done. Results saved to $OUTPUT_FILE"

import requests
import csv
import time

API_KEY = "YOUR_API_KEY"
API_URL = "https://www.infosniper.net/json.php"

def lookup_ip(ip_address):
    params = {"k": API_KEY, "ip_address": ip_address}
    resp = requests.get(API_URL, params=params, timeout=10)
    return resp.json().get("result", {})

# Read IPs from file
with open("ip_list.txt") as f:
    ips = [line.strip() for line in f if line.strip() and not line.startswith("#")]

# Look up each IP and write results
with open("bulk_results.csv", "w", newline="") as out:
    fields = ["ipaddress", "country", "city", "state",
              "provider", "asnumber", "connectiontype",
              "latitude", "longitude", "timezone"]
    writer = csv.DictWriter(out, fieldnames=fields, extrasaction="ignore")
    writer.writeheader()

    for ip in ips:
        try:
            data = lookup_ip(ip)
            writer.writerow(data)
            print(f"  {ip} -> {data.get('city')}, {data.get('country')}")
        except Exception as e:
            print(f"  {ip} -> ERROR: {e}")
        time.sleep(0.2)  # Rate-friendly

print(f"Processed {len(ips)} IPs. Results in bulk_results.csv")

Both scripts include a 200ms delay between requests. This is not a hard rate limit but a courteous practice that ensures smooth processing without overwhelming the server. For higher-throughput needs, monthly subscription plans provide higher request allowances.

Use Cases: Who Needs Bulk IP Geolocation

Bulk IP lookup is not a niche capability. It is a fundamental building block in several operational workflows across security, fraud, compliance, and marketing.

SOC and incident response

Security teams use bulk IP geolocation constantly. When a brute-force campaign hits your SSH servers with 300 different source IPs, the first question is: are these from one region (suggesting a single actor using an IP pool) or globally distributed (suggesting a botnet)? Bulk lookup answers that question in seconds.

The enrichment also feeds triage decisions. If 80% of the attacking IPs geolocate to hosting providers rather than residential ISPs, you are likely looking at compromised servers or rented infrastructure, not individual users. That changes the response. You can block entire ASNs or hosting ranges rather than playing whack-a-mole with individual addresses.

Cross-referencing bulk geolocation results with IP reputation data makes this even more effective. An IP from a known hosting provider that also has a poor reputation score is a much stronger signal than either data point alone.

Fraud analysis

E-commerce fraud teams process transaction logs where each order has an associated IP address. Bulk lookup lets them flag geographic mismatches at scale: orders where the IP country does not match the billing address, or where the same IP (or IP block) appears across multiple accounts. According to the Merchant Risk Council's 2025 Global eCommerce Payments and Fraud Report, the value of e-commerce fraud is projected to rise from $44.3 billion in 2024 to $107 billion by 2029. Automated IP enrichment is one of the signals fraud systems use to catch these transactions before they ship.

The connection type field is particularly valuable for fraud scoring. An order placed from a "hosting" or "proxy" connection type carries more risk than one from a "residential" connection, all else being equal.

Log analysis and server administration

Web server access logs record every request with the client IP. When you see a spike in 404 errors, a surge in traffic to a specific endpoint, or unusual patterns in your error logs, bulk IP lookup tells you where the traffic is coming from. Is it a legitimate traffic spike from a social media share, or is it a scraping operation originating from a single data center?

Compliance and geo-restriction auditing

Organizations that serve content or services restricted by geography need to verify their controls work. Bulk lookups on access logs can reveal whether users from restricted regions are reaching protected resources, possibly through VPNs or proxies. Financial services, gambling platforms, and streaming services run these audits regularly.

Marketing and audience analytics

Beyond Google Analytics, bulk IP geolocation gives marketing teams raw, unsampled geographic data about their website visitors. This is useful for verifying that ad campaigns are reaching their target geographies, understanding organic traffic distribution, and making decisions about content localization or regional landing pages.

What Data You Get Back

Each IP address in a bulk lookup returns a full set of geolocation and network metadata. Understanding what each field means helps you extract the most value from the results.

The combination of ISP, AS number, and connection type is particularly powerful in bulk analysis. A cluster of IPs might all geolocate to the same city, but if they share the same AS number and connection type of "hosting," you are looking at a data center operation, not individual users. That distinction changes the interpretation entirely.

Best Practices for Bulk IP Analysis

Getting good results from bulk IP lookups is not just about running the lookup. How you prepare the data and what you do with the results determines whether the output is actionable or just noise.

1. Deduplicate before you submit

Log files frequently contain the same IP address hundreds of times. If an IP hit your server 400 times, you do not need to look it up 400 times. Deduplicate your list first. In Linux, this is trivial:

# Extract IPs from an Apache access log, deduplicate, and sort
awk '{print $1}' access.log | sort -u > unique_ips.txt

# Count: how many unique IPs vs. total requests?
echo "Total requests: $(wc -l < access.log)"
echo "Unique IPs: $(wc -l < unique_ips.txt)"

A web server log with 50,000 lines might contain only 800 unique IP addresses. Looking up 800 is very different from looking up 50,000.

2. Filter out private and reserved ranges

Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and reserved addresses (127.0.0.1, 0.0.0.0) will not return useful geolocation data because they are not routed on the public internet. InfoSniper's bulk tool filters these automatically, but if you are using the API, filtering them before submission saves API credits and processing time.

3. Preserve the count

When you deduplicate IPs, you lose frequency information. Before deduplicating, count how many times each IP appears. An IP that made 3 requests is different from one that made 3,000. After the bulk lookup, merge the frequency count back into the geolocation results.

# Get unique IPs with request counts, sorted by frequency
awk '{print $1}' access.log | sort | uniq -c | sort -rn > ip_counts.txt

# Output format:
#   4521 203.0.113.42
#    891 198.51.100.7
#     12 45.33.32.156
#      3 104.16.132.229

4. Timestamp context matters

An IP address alone has limited meaning. An IP address with a timestamp range has much more. When preparing bulk lists for investigation, include or note the time window. The same IP might be benign during business hours (a known partner) and suspicious at 3 AM (indicating compromise). Keep your time context alongside the IP list even if the geolocation tool does not process it directly.

5. Use the right tool for the volume

Interpreting Bulk Results: Patterns to Look For

Raw geolocation data becomes useful when you look at it in aggregate. Here are the patterns that experienced analysts look for when reviewing bulk IP lookup results.

Geographic clustering

If 60% of the IPs in your list geolocate to the same country or city, that concentration is meaningful. For attack traffic, it might indicate a regionally concentrated botnet or a specific threat actor. For web traffic analysis, it reveals your primary audience geography. Look at the distribution, not just individual results.

Hosting versus residential split

The connection type field separates hosting/data center IPs from residential ones. In normal website traffic, you expect mostly residential and mobile connections. If a large proportion of your traffic comes from hosting IPs, you might be seeing bot traffic, scrapers, or automated tools. In attack analysis, a high hosting percentage suggests rented infrastructure rather than compromised home computers.

ASN concentration

The Autonomous System Number groups IPs by the network that operates them. If 40 of your 200 flagged IPs share the same ASN, they are on the same network. This is useful in two ways: it simplifies blocking (block the ASN instead of 40 individual IPs), and it helps attribute the activity to a specific provider. You can do a WHOIS lookup on the ASN to learn more about the organization.

Timezone versus activity time

If account logins cluster between 2-5 AM local time (based on the IP's timezone), that is unusual for legitimate users but normal for automated tools. Conversely, if the timezone on the IP does not match where the account holder claims to be, that is a signal worth investigating. This kind of cross-referencing is only practical when you have bulk geolocation data including timezone fields.

Repeat networks across incidents

Over time, bulk lookup results build a profile of which networks your organization encounters most frequently. If the same ASNs or IP blocks appear across multiple incidents, you can proactively block or monitor those ranges. This is where the data from individual investigations compounds into strategic intelligence.