ipasis
Blog/Technical Guide

Engineering an IP Trust Scoring Engine: A Technical Guide

January 31, 20267 min read

Binary access controls (Allow/Block) are insufficient for modern security architectures. Sophisticated threat actors utilize residential proxies and clean VPNs to bypass static blacklists. To reduce false positives while maintaining security, engineers must implement a dynamic IP Trust Score.

This guide details how to build a weighted scoring algorithm using IP signals such as connection type, ASN analysis, and geolocation velocity.

The Anatomy of an IP Trust Score

A robust trust score is a composite metric, typically ranging from 0 (high risk) to 100 (high trust), derived from real-time metadata. The scoring engine should ingest the following signals:

  1. Connection Type: Is the IP associated with a VPN, Proxy, Tor exit node, or Hosting provider?
  2. ISP/ASN Classification: Does the traffic originate from a residential ISP (Comcast, Verizon) or a cloud provider (AWS, DigitalOcean)?
  3. Geolocation Consistency: Does the IP location match the user's provided billing address or device timezone?
  4. Reputation History: Has this specific IP or CIDR block been flagged for abuse recently?

Algorithm Design: Weighted Risk Assessment

A weighted subtraction model is effective for scoring. Start with a baseline score (e.g., 100) and deduct points based on risk severity.

| Signal | Risk Factor | Penalty | | :--- | :--- | :--- | | Tor Exit Node | Critical | -100 | | Public Proxy | High | -90 | | Hosting/Datacenter ASN | High | -75 | | VPN (Commercial) | Medium | -45 | | Mismatched Timezone | Low | -15 |

Implementation

The following Python example demonstrates a scoring engine integrating with the IPASIS API. It utilizes a dataclass for structure and implements logic to normalize the final score between 0 and 100.

import requests
from dataclasses import dataclass
from typing import Dict, Any

@dataclass
class RiskWeights:
    tor: int = 100
    proxy: int = 90
    hosting: int = 75
    vpn: int = 45
    geo_mismatch: int = 15

class IPScoringEngine:
    def __init__(self, api_key: str):
        self.base_url = "https://api.ipasis.com/v2/ip"
        self.api_key = api_key
        self.weights = RiskWeights()

    def get_ip_data(self, ip_address: str) -> Dict[str, Any]:
        response = requests.get(
            f"{self.base_url}/{ip_address}", 
            headers={"X-API-Key": self.api_key}
        )
        response.raise_for_status()
        return response.json()

    def calculate_trust_score(self, ip_data: Dict[str, Any], user_country: str = None) -> int:
        score = 100
        
        # Critical Checks
        if ip_data.get('security', {}).get('is_tor'):
            score -= self.weights.tor
        
        if ip_data.get('security', {}).get('is_proxy'):
            score -= self.weights.proxy
            
        # ASN Analysis: Datacenter traffic is suspicious for login endpoints
        if ip_data.get('asn', {}).get('type') == 'hosting':
            score -= self.weights.hosting
            
        # Contextual Checks
        if ip_data.get('security', {}).get('is_vpn'):
            score -= self.weights.vpn
            
        # Geolocation Validation
        ip_country = ip_data.get('location', {}).get('country_code')
        if user_country and ip_country != user_country:
            score -= self.weights.geo_mismatch

        return max(0, score)

# Usage
engine = IPScoringEngine("YOUR_IPASIS_KEY")
ip_metadata = engine.get_ip_data("203.0.113.1")
trust_score = engine.calculate_trust_score(ip_metadata, user_country="US")

if trust_score < 50:
    print(f"High Risk Detected: Score {trust_score} - Challenge User")
else:
    print(f"Traffic Allowed: Score {trust_score}")

Architectural Considerations

Latency Management

IP intelligence lookups introduce network latency. To mitigate impact on the critical path:

  1. Asynchronous Analysis: Perform lookups post-handshake for non-blocking logging.
  2. Caching: Cache API responses in Redis keyed by IP address. Set TTL based on IP volatility (e.g., 24 hours for residential IPs, 1 hour for cloud IPs).
  3. Fail-Open Logic: If the IP intelligence API times out, default to a neutral score to prevent causing a localized outage.

Handling CGNAT and Mobile Networks

Carrier-Grade NAT (CGNAT) allows thousands of mobile users to share a single public IP. Blocking these aggressively causes high false positives. Ensure your logic checks the connection_type—if it is cellular or isp, reduce penalty weights even if velocity is high.

FAQ

Q: Should I block all VPN traffic? No. Many legitimate users rely on VPNs for privacy or corporate security. Instead of blocking, trigger a step-up challenge (MFA/CAPTCHA) for scores falling between 30-60.

Q: How do I handle IPv6? Score the /64 subnet rather than the individual IPv6 address. Attackers often cycle through addresses within a single subnet.

Q: Where should this logic sit in the stack? Ideally at the edge (e.g., Cloudflare Workers, AWS Lambda @ Edge) or strictly within your authentication middleware service.

enhance Your Threat Detection

Building a scoring engine requires accurate, fresh data. Stale proxy lists lead to false positives and user churn.

IPASIS provides enterprise-grade IP intelligence with sub-millisecond lookups for VPN, Proxy, and Tor detection. Feed your scoring models with the most reliable data on the market.

Get your free API Key and start scoring traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key