Subnet and CIDR Basics for IP Range Lookups
Understand CIDR notation, IP ranges, and why security teams often block or allow networks instead of single IP addresses.
What CIDR notation means
CIDR notation describes a block of IP addresses using a prefix, such as 203.0.113.0/24. The number after the slash indicates how much of the address is fixed.
Smaller prefix numbers usually represent larger ranges. This is why a single rule can cover many addresses.
Why ranges matter
Attackers, crawlers, and cloud providers often use many IPs in the same range. Looking at only one address can miss a broader pattern.
At the same time, broad range blocks can create false positives if the network is shared by many legitimate customers.
Safe range policies
Start with narrow rules and expand only when evidence shows the whole range is involved. Keep notes about why each range was blocked or allowed.
Use IP lookup, ASN data, and logs to understand whether a CIDR belongs to a single source or a large shared provider.
How to use this guide with the lookup tool
Start by identifying the question you need to answer: location, ownership, risk, proxy status, troubleshooting, or enforcement. The same IP result can support different decisions depending on that goal.
Read lookup fields together. Country, city, ISP, ASN, network type, fraud score, and health summary each explain a different part of the connection. A useful conclusion usually comes from combining several of them.
For any important decision, keep the lookup in context with your original evidence. IP intelligence is a fast enrichment layer, not a replacement for logs, account history, device signals, or business rules.
For a live example, run the relevant address through Crafzo IP Lookup or open the IPv6 Lookup to compare the article guidance with real lookup fields.
Signals to compare before acting
| Signal | What to check | Practical use |
|---|---|---|
| Lookup goal | Are you troubleshooting, investigating abuse, or reviewing risk? | Keeps the interpretation tied to the user or business need. |
| Location | Does the country or region explain the observed activity? | Adds context without claiming exact location. |
| Network | Does the ISP or ASN match consumer, business, cloud, or proxy expectations? | Helps decide whether traffic looks ordinary or unusual. |
| Risk | Do fraud and proxy signals match the behavior in your logs? | Guides whether to allow, challenge, monitor, or block. |
Practical checklist
- Define the decision before reading the lookup result.
- Combine at least two independent signals.
- Avoid exact-location claims.
- Keep a timestamped note for important reviews.
Frequently Asked Questions
What does /24 mean?
For IPv4, a /24 usually contains 256 addresses, though usable host counts depend on context.
Should I block a whole subnet?
Only when the evidence supports it. Broad blocks can affect legitimate users.
Check an IP Address Now
Use the free Crafzo IP Lookup tool to check IP location, risk score, and AI-powered IP health.
Open IP lookup