Credential stuffing and brute-force attacks remain the primary vectors for Account Takeover (ATO). While multi-factor authentication (MFA) is the gold standard, friction-sensitive user experiences often require passive risk assessment before challenging the user.

IP address analysis provides the highest signal-to-noise ratio for passive detection. By enriching ingress traffic with metadata—specifically geolocation, connection type, and ISP classification—security engineers can construct a robust scoring engine to flag or block suspicious attempts automatically.

1. Impossible Travel (Velocity Checks)

One of the strongest indicators of compromised credentials is the "impossible travel" anomaly: two login attempts occurring across a geographic distance that cannot be traversed in the elapsed time.

Implementation Logic

Store Metadata: On every successful login, store the IP, timestamp, and coordinates (latitude/longitude) in a high-speed store (Redis).
Calculate Velocity: On a new login attempt, retrieve the last known coordinates.
Threshold: If the speed implies travel > 500 mph (approx 800 km/h), flag as suspicious.

Python Implementation (Haversine Formula)

import math
from datetime import datetime

def haversine(lat1, lon1, lat2, lon2):
    R = 6371  # Earth radius in km
    dlat = math.radians(lat2 - lat1)
    dlon = math.radians(lon2 - lon1)
    a = (math.sin(dlat / 2) * math.sin(dlat / 2) + 
         math.cos(math.radians(lat1)) * math.cos(math.radians(lat2)) * 
         math.sin(dlon / 2) * math.sin(dlon / 2))
    c = 2 * math.atan2(math.sqrt(a), math.sqrt(1 - a))
    return R * c

def is_impossible_travel(prev_login, current_login):
    # prev_login and current_login are dicts with 'lat', 'lon', 'timestamp'
    
    distance_km = haversine(prev_login['lat'], prev_login['lon'], 
                            current_login['lat'], current_login['lon'])
    
    time_diff_hours = (current_login['timestamp'] - prev_login['timestamp']).total_seconds() / 3600
    
    if time_diff_hours == 0:
        return distance_km > 10 # 10km tolerance for geo-IP drift
        
    speed = distance_km / time_diff_hours
    
    # Threshold: 800 km/h (approx commercial flight speed)
    return speed > 800

2. Detecting Anonymizers (VPNs, Proxies, Tor)

Legitimate users rarely access consumer applications via data center IPs (e.g., AWS, DigitalOcean) or Tor exit nodes. Masked IPs are a primary precursor to credential stuffing.

Using the IPASIS API, you can determine the connection_type and asn_type. High-risk attributes include:

is_proxy: True
is_vpn: True
is_tor: True
asn_type: 'hosting' (vs 'isp')

Node.js Middleware Example

This middleware rejects requests from known Tor nodes and flags Hosting IPs for MFA.

const axios = require('axios');

async function ipRiskMiddleware(req, res, next) {
    const clientIp = req.ip;
    
    try {
        const response = await axios.get(`https://api.ipasis.com/v1/${clientIp}?key=YOUR_API_KEY`);
        const ipData = response.data;

        // Immediate Block: Tor Exit Nodes
        if (ipData.security.is_tor) {
            return res.status(403).json({ error: 'Access denied from Tor network.' });
        }

        // Risk Signal: Datacenter/Hosting IPs
        if (ipData.asn.type === 'hosting') {
            req.riskScore = (req.riskScore || 0) + 50;
            req.requireMfa = true;
        }
        
        // Risk Signal: Public Proxies
        if (ipData.security.is_proxy) {
             req.riskScore = (req.riskScore || 0) + 30;
        }

        next();
    } catch (error) {
        console.error('IP Intelligence lookup failed', error);
        // Fail open or closed depending on security posture
        next();
    }
}

3. ISP and ASN Consistency Checks

Sophisticated attackers may use residential proxies to bypass data center IP blocks. However, they often fail to match the specific ISP profile of the victim.

If a user historically logs in from Comcast Cable (US) and suddenly attempts a login from Orange (France) or a minor regional ISP in a different country, the entropy of the request increases significantly.

Strategy:

Build a historical whitelist of ASNs for each user.
Trigger email verification if a login originates from a new Country + ASN pair.

FAQ

Q: How do we handle legitimate users on corporate VPNs? A: Do not block VPNs outright unless your app is geo-restricted. Instead, treat VPNs as a "step-up" trigger. If is_vpn is true, enforce 2FA or CAPTCHA, but allow the login if the credentials verify.

Q: What is the impact of IP geolocation accuracy on mobile networks? A: Mobile carrier IPs (CGNAT) often route traffic through central gateways, causing geolocation to jump between cities. For mobile traffic, rely less on "city-level" impossible travel and more on ASN consistency and device fingerprinting.

Q: Does IP analysis add latency? A: IPASIS is architected for real-time auth flows with sub-50ms response times. However, for non-blocking analysis, you can perform the lookup asynchronously post-handshake to flag the session for subsequent revocation.

Secure Your Auth Flow with IPASIS

IP data is the first line of defense against automated attacks. IPASIS provides enterprise-grade accuracy for VPN detection, proxy analysis, and geolocation.

Start integrating IP intelligence today with a free API key at IPASIS.com

Architecting Account Takeover Prevention: Identifying Suspicious Logins via IP Intelligence