ipasis
Blog/Security Engineering

Advanced API Abuse Detection via IP Anomaly Analysis

January 24, 20266 min read

API endpoints are the primary attack surface for modern automated threats. Standard rate limiting (e.g., 429 Too Many Requests) is insufficient against distributed botnets that rotate IPs across residential proxies. To effectively secure critical paths—authentication, payment gateways, and inventory lookup—engineers must implement deep packet inspection logic centered on IP metadata.

The Signal in the Noise: IP Metadata

IP addresses are not merely routing labels; they are improved indicators of intent. Anomaly detection relies on enriching raw IPs with context. The three highest-fidelity signals for abuse detection are:

  1. Connection Type: Distinguishing between Residential, Mobile, Corporate, and Data Center traffic. Traffic hitting a consumer login endpoint from a Data Center IP (hosting provider) is inherently anomalous.
  2. ASN Reputation: Autonomous Systems (ASNs) associated with cheap VPS providers or known bulletproof hosting have higher probability of malicious intent than Tier 1 ISPs.
  3. Geolocation Velocity: "Impossible travel" calculations based on IP geolocation changes within a short time window.

Strategy 1: Contextual Rate Limiting

Apply strict rate limits to low-trust IP ranges while allowing higher throughput for established ISPs. This reduces false positives for legitimate users behind CGNAT (Carrier-Grade NAT) while choking bot traffic.

Python Implementation (Redis + IP Intelligence)

This Python snippet demonstrates a sliding window rate limiter that adjusts the threshold based on the IP's privacy status (VPN/Proxy detection).

import redis
import time
import requests

# Redis connection
r = redis.Redis(host='localhost', port=6379, db=0)

def check_rate_limit(ip_address, endpoint):
    # 1. Enrich IP data via IPASIS API
    response = requests.get(f"https://api.ipasis.com/json/{ip_address}")
    ip_data = response.json()

    # 2. Determine risk factor
    is_high_risk = ip_data.get('security', {}).get('is_vpn', False) or                    ip_data.get('security', {}).get('is_proxy', False)

    # 3. Set limits: High risk gets 5 req/min, Low risk gets 60 req/min
    limit = 5 if is_high_risk else 60
    window = 60  # seconds

    key = f"rate_limit:{endpoint}:{ip_address}"
    current_time = time.time()

    # Atomically manage sliding window
    pipeline = r.pipeline()
    pipeline.zremrangebyscore(key, 0, current_time - window)
    pipeline.zadd(key, {current_time: current_time})
    pipeline.zcard(key)
    pipeline.expire(key, window)
    results = pipeline.execute()

    request_count = results[2]

    if request_count > limit:
        return False # Block request
    return True # Allow request

Strategy 2: Blocking Hosting Providers on Auth Routes

Credential stuffing attacks often originate from cloud infrastructure. By rejecting traffic from hosting providers on /login or /signup endpoints, you eliminate a significant portion of automated noise.

Node.js Middleware Example

const axios = require('axios');

async function ipSecurityMiddleware(req, res, next) {
    const clientIp = req.ip;

    try {
        // Fetch IP metadata
        const { data } = await axios.get(`https://api.ipasis.com/json/${clientIp}?key=YOUR_API_KEY`);

        // Define strict criteria for sensitive routes
        const isHostingProvider = data.connection.type === 'hosting';
        const isTorExitNode = data.security.is_tor;

        if (isHostingProvider || isTorExitNode) {
            console.warn(`Blocked suspicious access from ${clientIp} on ASN ${data.connection.asn}`);
            return res.status(403).json({
                error: 'Access denied: Unauthorized network type.'
            });
        }

        next();
    } catch (error) {
        // Fail open or closed depending on security posture
        console.error("IP Intelligence lookup failed", error);
        next();
    }
}

app.post('/api/auth/login', ipSecurityMiddleware, loginHandler);

Architectural Considerations

  • Caching is Critical: Do not query the IP intelligence API on every request. Cache the metadata in Redis/Memcached with a TTL of 24 hours. IP ownership changes slowly.
  • Fail-Open vs. Fail-Closed: For non-critical paths, fail open if the IP enrichment service times out to preserve UX. For admin panels, fail closed.
  • IPv6: Ensure your storage logic handles IPv6 normalization, as attackers have nearly infinite IPv6 addresses. Rate limit by /64 subnet rather than individual IPv6 addresses.

FAQ

Q: Will blocking data center IPs block legitimate corporate VPNs? A: Occasionally. However, corporate VPNs typically have specific ASNs. You can maintain an allowlist for known partner ASNs or require MFA for traffic originating from hosting ranges.

Q: How do we handle mobile users on CGNAT? A: Mobile users often share IPs. Never block solely based on request volume from a mobile ISP. Combine velocity checks with User-Agent analysis and IP reputation scores.

Q: What is the latency impact of IP enrichment? A: Direct API calls add latency. The recommended pattern is to perform the lookup asynchronously (sidecar) or verify only on the first request of a session and cache the result.

Secure Your Infrastructure with IPASIS

Anomaly detection is only as good as the data feeding it. IPASIS provides enterprise-grade IP intelligence with real-time detection for VPNs, proxies, and Tor nodes.

Stop guessing who is accessing your API. Get your free API key at IPASIS.com and start filtering abusive traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key