Scoring Rules
ShieldLabs applies several rules that modify how signals combine. These reduce false positives for legitimate VPN users and browser extension proxies.Exclusive IP flags
When certain IP intelligence flags fire, other signals are not counted:| Flag | Score | Effect |
|---|---|---|
Is tor | +99 | All other IP and connectivity signals ignored |
Is privacy relay | +15 | All other IP signals ignored |
Is VPN | +15 | Proxy/datacenter/abuser and most connectivity signals ignored |
VPN detection: 2-of-3 rule
VPN is not triggered by IP database alone. Three signals are evaluated:| # | Signal | Source |
|---|---|---|
| 1 | IP API is_vpn | ipapi.is |
| 2 | TCP VPN hint | Shield.Tcp MSS/MTU analysis (vpn, tor_double_vpn) |
| 3 | STUN failed | No STUN binding within scoring window |
- TCP data available → 2 of 3 signals required →
Is VPN(+15) - No TCP data for this IP → 1 of 2 (IP API + STUN only)
Example: VPN user with STUN OK
Example: VPN with STUN blocked
Browser VPN/Proxy collapse
When the browser appears to use an extension VPN or proxy (datacenter/abuser IP + OS mismatch, but not confirmed VPN), individual flags are replaced with a single signal:Value: 0.
Conditions:
- Datacenter or abuser IP from ipapi.is
- UA OS ≠ TCP OS (both detected)
- VPN 2-of-3 rule not triggered
- Not antidetect or JavaScript-disabled
OS mismatch scoring
When User-Agent OS and TCP fingerprint OS disagree (and neither is “not detected”), a single mismatch signal fires at +60 (not +30 per OS):Practical score guide
| Scenario | Typical score |
|---|---|
| Clean residential user | 0 |
| VPN user, STUN OK, no TCP hint | 0–15 |
| VPN confirmed (2-of-3) | 15 |
| Browser extension VPN | 30 |
| OS mismatch (anti-detect) | 60 |
| Antidetect port scan | 60+ |
| OS mismatch + STUN fail + datacenter | 60–100 |
| Tor exit node | 99 |
| Rate limit ban | 999 |