ipasis
Blog/Security Insights

Scaling Security: IP Intelligence Best Practices for High-Growth Startups

March 08, 20266 min read

High-growth startups face a specific paradox: you need to minimize friction to maximize user acquisition, yet your rapid growth makes you a prime target for automated fraud, account takeovers (ATO), and chargebacks. Implementing IP intelligence is not merely about blocking bad actors; it is about building a context-aware perimeter that scales with your infrastructure.

This guide outlines the architectural best practices for integrating IP intelligence APIs like IPASIS into high-throughput environments.

1. Implement Aggressive Caching Layers

Directly querying an external API for every request is an architectural anti-pattern in high-growth environments. Network latency adds up, and external dependencies can experience jitter. IP metadata (ISP, geolocation, ASN) is relatively static.

Recommendation: Implement a look-aside cache strategy (Redis/Memcached). Set a Time-To-Live (TTL) of 24 to 48 hours for IP metadata. This reduces API costs and ensures near-zero latency for repeat visitors.

2. Differentiate Threat Types (Hosting vs. Residential)

Blanket banning all proxies is a quick way to kill growth. Many legitimate users utilize corporate VPNs. You must distinguish between:

  • Data Center/Hosting IPs: High probability of bot traffic (AWS, GCP, Azure ranges). Action: Challenge or Block.
  • Residential Proxies: High cost to attackers, but harder to detect. Action: Velocity check.
  • Public VPNs: Privacy-conscious users. Action: Allow, but flag for 2FA.

Python Implementation Example

The following Python snippet demonstrates a caching wrapper around the IPASIS API that implements basic threat logic.

import json
import redis
import requests

# Configuration
REDIS_HOST = 'localhost'
IPASIS_API_KEY = 'YOUR_API_KEY'
CACHE_TTL = 86400  # 24 hours

def get_ip_reputation(ip_address):
    r = redis.Redis(host=REDIS_HOST, port=6379, db=0)
    cache_key = f"ip_intel:{ip_address}"

    # 1. Check Cache
    cached_data = r.get(cache_key)
    if cached_data:
        return json.loads(cached_data)

    # 2. Query IPASIS API
    try:
        url = f"https://api.ipasis.com/json/{ip_address}?key={IPASIS_API_KEY}"
        response = requests.get(url, timeout=2.0)
        response.raise_for_status()
        data = response.json()

        # 3. Cache Result
        r.setex(cache_key, CACHE_TTL, json.dumps(data))
        return data
    except Exception as e:
        # Log error and return fail-open default
        print(f"IP Intelligence lookup failed: {e}")
        return None

def evaluate_risk(ip_data):
    if not ip_data:
        return "ALLOW" # Fail-open

    is_proxy = ip_data.get('security', {}).get('is_proxy', False)
    proxy_type = ip_data.get('security', {}).get('proxy_type', None)

    if is_proxy:
        # Block hosting/datacenter traffic immediately
        if proxy_type == 'hosting':
            return "BLOCK"
        # Flag VPNs for secondary verification (Captcha/2FA)
        if proxy_type == 'vpn':
            return "CHALLENGE"
            
    return "ALLOW"

3. Asynchronous Verification for Non-Critical Paths

Do not block the main thread for IP verification unless it is a gatekeeping event (e.g., payment processing or login). For analytics or content personalization:

  1. Serve the request immediately.
  2. Dispatch the IP lookup to a background worker (Sidekiq, Celery, BullMQ).
  3. Update the user session asynchronously.

This prevents the IP intelligence layer from impacting your Core Web Vitals (LCP/FID).

4. Fail-Open vs. Fail-Closed Strategies

Decide your failure mode based on the endpoint:

  • Login/Payment: Fail-Closed (or Fail-to-Challenge). If the IP API times out, do not allow the transaction to proceed without Step-Up authentication (SMS/Email OTP). The risk of fraud outweighs the friction.
  • Registration/Marketing: Fail-Open. If the API is unreachable, allow the user through. Do not lose a signup due to a third-party outage.

5. Handle IPv6 Canonicalization

As adoption grows, you will see inconsistent IPv6 formatting (compressed vs. expanded). Ensure your backend standardizes IPv6 addresses before hashing them for database lookups or cache keys. IPASIS handles standard formats, but internal consistency is key for accurate velocity tracking.

FAQ

Q: Should we block all Tor exit nodes? A: Generally, yes. Tor traffic is rarely legitimate for commercial SaaS platforms or e-commerce. It almost exclusively correlates with fraud or malicious scanning.

Q: How often does IP metadata change? A: IP ownership is fluid, but ISP and geolocation data is stable for days or weeks. Threat data (is this IP currently attacking?) changes faster. A 24-hour cache is the sweet spot for general metadata, while 15 minutes is better for active threat intelligence.

Q: Does IP intelligence violate GDPR? A: Processing IP addresses for security and fraud prevention is widely considered a "Legitimate Interest" under GDPR Recital 49. However, ensure you do not store raw logs indefinitely and use a provider like IPASIS that respects data privacy.

Secure Your Infrastructure with IPASIS

Don't let fraud scale with your user base. IPASIS provides enterprise-grade IP intelligence with sub-millisecond latency, robust proxy detection, and precise geolocation data.

Get your free API Key and start filtering traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key