ipasis
Blog/Security Engineering

IP Reputation Architecture: A Technical Guide for Engineering Managers

January 05, 20265 min read

Engineering managers often view IP reputation as a simple boolean toggle: is_bad_ip ? block : allow. In production environments dealing with high throughput, this binary approach fails. It leads to false positives that kill conversion rates and false negatives that allow credential stuffing.

Effective IP reputation management requires a nuanced architectural approach involving weighted scoring, ASN analysis, and latency-aware implementation.

Signal-to-Noise: Deconstructing "Reputation"

Not all "bad" IPs are equal. A generic threat score is insufficient for sophisticated logic. You must ingest specific telemetry points to build a context-aware security layer.

1. Connection Type (The High-Fidelity Signal)

This is your primary filter. Distinguish between:

  • Residential Proxies: High risk for account takeovers (ATO). These are legitimate devices rented out as exit nodes.
  • Data Center IPs: High risk for botting, low risk for human users (unless via VPN).
  • Tor Exit Nodes: almost exclusively malicious in a commercial context.

2. ASN Context

The Autonomous System Number (ASN) reveals the ISP. An IP from Comcast Cable (Residential) behaves differently than an IP from DigitalOcean (Hosting).

Rule of Thumb: If your user represents a human consumer, traffic from ASN 16509 (Amazon.com) or ASN 14061 (DigitalOcean) should trigger 2FA or CAPTCHA, regardless of the specific IP's history.

Architectural Placement: Middleware vs. Async Analysis

Where you place the IP check dictates system latency and failure modes.

The Gatekeeper Pattern (Blocking)

Place the check in the API Gateway or Edge Middleware. This requires an API response <50ms. Use this for binary blocks (e.g., Tor nodes, sanctioned countries).

Go Implementation (Middleware)

package middleware

import (
	"net/http"
	"github.com/ipasis/client"
)

func IPReputationGuard(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		ip := r.Header.Get("X-Forwarded-For")
		
		// synchronous check - requires low-latency provider
		data, err := ipasis.Check(ip)
		if err != nil {
			// Fail open to prevent downtime affecting legitimate users
			next.ServeHTTP(w, r)
			return
		}

		if data.Security.IsTor || data.Security.IsProxy {
			http.Error(w, "Access Denied: Anonymizer Detected", http.StatusForbidden)
			return
		}

		next.ServeHTTP(w, r)
	})
}

The Fraud Score Pattern (Flagging)

For complex decisions (e.g., credit card transactions), do not block synchronously. Enqueue the IP analysis alongside the transaction data. If the IP is a "Residential Proxy" but the device fingerprint matches a previous session, allow the transaction.

Constructing a Weighted Risk Model

Avoid vendor-supplied "risk scores" (0-100) as absolute truth. Construct a model specific to your threat vector. If you are protecting a streaming service, data center IPs are fatal. If you are a B2B SaaS, data center IPs are normal.

Python Implementation (Weighted Scoring)

def calculate_risk_score(ip_data):
    score = 0
    
    # Factor 1: Connection Type (Heaviest Weight)
    if ip_data.get('is_tor'):
        score += 100
    elif ip_data.get('is_vpn'):
        score += 30
    elif ip_data.get('is_proxy'):
        score += 50

    # Factor 2: ASN Type
    if ip_data.get('asn_type') == 'hosting':
        score += 25

    # Factor 3: Abuse Velocity (Custom Internal Metric)
    # Check your internal Redis for requests from this IP in last 1m
    if internal_velocity_check(ip_data['ip']) > 100:
        score += 40

    return min(score, 100)

# Usage
risk = calculate_risk_score(ipasis_response)
if risk > 80:
    raise BlockAction()
elif risk > 40:
    trigger_captcha()

Performance & Caching Strategy

IP reputation data is semi-volatile. An IP assigned to a mobile device changes frequently; a data center IP remains static for months.

  1. Cache Positive Results: If an IP is clean, cache for 10-15 minutes. Mobile IPs churn quickly.
  2. Cache Negative Results: If an IP is a Tor node, cache for 24 hours. These rarely become clean overnight.
  3. Fail Open: If the IP API times out, allow traffic but log the event. Never let a third-party dependency cause a global outage.

FAQ

Should we block all VPNs?

Generally, no. For B2C applications, 15-20% of legitimate traffic may use VPNs for privacy. Instead of blocking, trigger a step-up challenge (email verification or CAPTCHA).

How do we handle IPv6?

Ensure your provider supports IPv6. While IPv6 rotation makes rate limiting harder, the ASN and Connection Type signals remain reliable indicators of intent.

What is the impact on latency?

Using a specialized provider like IPASIS, the overhead should be under 50ms. If your provider averages >200ms, move the check out of the critical path or switch providers.

Secure Your Architecture with IPASIS

Don't rely on black-box risk scores. IPASIS provides the raw, granular data engineering teams need to build custom security logic. With sub-50ms latency and detailed ASN/Proxy classification, it is built for the backend.

Get your API Key and start filtering traffic intelligently.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key