@pipeworx/abuseipdb

Connect: https://gateway.pipeworx.io/abuseipdb/mcp · Install: one-click buttons

Tools: 3

AbuseIPDB is a community-curated database of IPs reported for malicious activity (brute force, DDoS, web spam, credential stuffing, etc.). ~150M+ historical reports across millions of IPs. Each IP gets a confidence score (0-100) based on report volume, recency, and reporter trust. Used by sysadmins, security teams, and AI agents doing threat intelligence.

Why this matters for AI agents

For security analysis — investigating a suspicious IP in logs, scoring inbound traffic, building blocklists — AbuseIPDB is the canonical free reputation source. Pair with NVD for vulnerability research and Shodan / PhishTank / URLhaus for adjacent threat intel.

Common flows:

• IP check. “What’s the reputation of 1.2.3.4?” → confidence score, recent reports, abuse categories.
• Blacklist pull. “Get a list of IPs flagged as DDoS sources in the last 90 days” → filtered blacklist export.
• Report submission. If you have evidence of abuse from an IP, you can submit a report (counts toward the reporter’s trust score).

Auth

AbuseIPDB requires a free API key from https://www.abuseipdb.com/account/api. Free tier: 1,000 requests/day. Pass via _apiKey.

Confidence score interpretation

For automated blocking, 75+ is the conservative threshold. For alerting/triage, 25+ catches more activity.

Abuse categories

Each report tags categories (multiple per report):

For agent-driven triage, category-aware filtering catches false positives (an IP flagged only as “Web Spam” is different from one flagged as “Hacking”).

Common pitfalls

• Score is reporter-weighted. A handful of trusted reporters carries more weight than many anonymous ones. Don’t assume “reported by 100 sources” means 100 separate organizations — could be one researcher’s 100 honeypots.
• NAT and shared IPs. Carrier-grade NAT, AWS / GCP exit IPs, and Tor exit nodes get flagged constantly. A high score for a known shared IP doesn’t necessarily implicate any single user.
• Historical decay. Recent reports weight more than older ones. An IP that was malicious in 2019 but clean since may have a residual score that’s no longer accurate.
• Self-reporting bias. People report what they detect; sophisticated attacks (low-and-slow, residential proxies) underreport.
• False positives from scanning. Legitimate vulnerability scanners (Shodan, Censys) get reported as abuse by uninformed sysadmins. Their IPs are well-known; whitelist them client-side.
• Rate limiting on free tier. 1,000/day may not be enough for production — consider commercial tier or aggregate at the agent level via memory.

Tools

• check_ip — Check an IP address against the AbuseIPDB database. Returns abuse confidence score (0-100), ISP, usage type, country, number of reports, and last reported date. Example: check_ip(“8.8.8.8”).
• report_ip — Report an abusive IP address to AbuseIPDB. Requires category IDs (e.g., “18,22” for DDoS + SSH brute force). Returns the updated abuse confidence score.
• get_blacklist — Get the AbuseIPDB blacklist of the most-reported IP addresses. Returns IPs with their abuse confidence scores. Useful for building blocklists.