ipasis
Blog/Security Engineering

Detecting Malicious Traffic via IP Behavior Analysis

January 20, 20268 min read

Static blocklists are insufficient for modern threat landscapes. Attackers utilize residential proxies, rotating IPs, and compromised IoT devices to bypass legacy firewalls. Effective security requires analyzing the behavior and metadata associated with an IP address in real-time.

This guide outlines the technical implementation of IP behavior analysis to detect botnets, account takeovers (ATO), and fraudulent transactions.

Key Behavioral Indicators

To identify malicious traffic programmatically, assess the following vector combination:

  1. Velocity: The rate of requests from a single IP or subnet.
  2. Geolocation Anomalies: Impossible travel (e.g., a login from London five minutes after a login from New York).
  3. Infrastructural Context: The nature of the ISP. Traffic originating from a cloud hosting provider (AWS, DigitalOcean) is suspicious for a residential login endpoint.
  4. Anonymization Status: The presence of Tor, VPNs, or proxies.

Implementing Real-time Detection

The following logic demonstrates how to integrate IP intelligence to score incoming requests. We utilize a weighted scoring model rather than a binary block to reduce false positives.

Python Implementation

This script utilizes the IPASIS API to enrich incoming IP data and calculate a fraud risk score.

import requests

def calculate_risk_score(ip_address, api_key):
    url = f"https://api.ipasis.com/json/{ip_address}"
    headers = {"X-Key": api_key}
    
    try:
        response = requests.get(url, headers=headers, timeout=2)
        data = response.json()
    except requests.exceptions.RequestException:
        # Fail open or closed depending on policy
        return 0

    score = 0

    # Factor 1: Infrastructure Type
    # Hosting/Data center IPs should not be logging into consumer accounts
    if data.get('is_crawler') or data.get('is_hosting'):
        score += 50

    # Factor 2: Anonymizers
    if data.get('is_proxy') or data.get('is_vpn') or data.get('is_tor'):
        score += 30

    # Factor 3: Reputation (Assuming internal history or threat score)
    # Example: Check if ISP is a known bulletproof host
    high_risk_isps = ['BadHost LLC', 'Offshore Servers']
    if data.get('isp') in high_risk_isps:
        score += 20
        
    return score

# Usage
request_ip = "192.0.2.1"
risk = calculate_risk_score(request_ip, "YOUR_IPASIS_KEY")

if risk >= 80:
    print("BLOCK: High risk traffic detected.")
elif risk >= 50:
    print("CHALLENGE: Serve 2FA or Captcha.")
else:
    print("ALLOW: Traffic normal.")

Handling Residential Proxies

Sophisticated attackers use residential proxies (compromised home devices) to mask their origin. In these scenarios, the IP appears to be from a legitimate ISP (e.g., Comcast, Verizon).

To detect this, you must correlate connection type with OS/User-Agent fingerprinting. If an IP belongs to a residential ISP but the connection characteristics (TCP/IP fingerprint) match a headless Linux server, the probability of a proxy is high.

Go Implementation (High Performance Middleware)

For high-throughput environments, check IP reputation at the edge/gateway level.

package main

import (
    "encoding/json"
    "fmt"
    "net/http"
    "time"
)

type IpInfo struct {
    IsProxy bool `json:"is_proxy"`
    IsTor   bool `json:"is_tor"`
}

func ipSecurityMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        userIP := r.Header.Get("X-Forwarded-For")
        
        // Ideally, check cache (Redis) before hitting API
        client := http.Client{Timeout: 200 * time.Millisecond}
        resp, err := client.Get(fmt.Sprintf("https://api.ipasis.com/json/%s?key=SECRET", userIP))
        
        if err == nil {
            defer resp.Body.Close()
            var info IpInfo
            json.NewDecoder(resp.Body).Decode(&info)

            if info.IsTor {
                http.Error(w, "Access Denied: Tor Exit Node", http.StatusForbidden)
                return
            }
        }

        next.ServeHTTP(w, r)
    })
}

Frequently Asked Questions

Q: Will checking IP reputation add latency to my application? A: API lookups typically take 50-100ms. To negate user impact, implement an asynchronous check or perform the lookup after the initial handshake. Caching results in Redis for 24 hours is highly recommended.

Q: Should I block all VPN traffic? A: No. Many legitimate users use VPNs for privacy. Instead, treat VPN usage as a neutral signal that requires stepped-up authentication (MFA) rather than an immediate block, unless the specific VPN provider is known for abuse.

Q: How do I handle IPv6? A: IPv6 privacy extensions rotate the interface identifier frequently. When analyzing IPv6 behavior, apply reputation scoring to the /64 subnet rather than the specific address to prevent rule dilution.

Secure Your Perimeter with IPASIS

Effective threat detection relies on data quality. IPASIS provides enterprise-grade accuracy for VPN, Proxy, and Tor detection with sub-millisecond processing times.

Stop guessing. Start knowing.

Get your free API Key | Read the Documentation

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key