ipasis
Blog/Security Engineering

IP Reputation Metrics: An Engineering Guide to Fraud Prevention

March 01, 20268 min read

In modern fraud prevention architectures, the IP address remains the earliest and most efficient signal for filtering malicious traffic. However, raw IP addresses offer limited utility. The value lies in the metadata—specifically, reputation metrics that indicate the likelihood of automated bot traffic, account takeover attempts, or credit card fraud.

This guide outlines the technical metrics required to build a robust IP scoring engine and provides implementation examples using the IPASIS API.

1. Connection Type (VPN, Proxy, and Tor)

The most significant indicator of intent is the use of anonymization layers. Legitimate users rarely access banking or e-commerce checkout flows via Tor exit nodes or high-risk public proxies.

Your ingestion pipeline should classify connections into three tiers of risk:

  • Residential Proxies: High risk. Often comprised of botnets routing traffic through infected consumer devices to appear legitimate.
  • Data Center VPNs: Medium risk. Often used to bypass geo-restrictions or mask origin, but easily identifiable via ASN.
  • Tor Exit Nodes: Critical risk. Almost exclusively associated with malicious intent in commercial contexts.

Implementation (Python)

Rejecting traffic based on connection type reduces load on downstream compute-heavy fraud checks (e.g., device fingerprinting).

import requests

def validate_ip_connection(ip_address):
    # IPASIS API endpoint
    url = f"https://api.ipasis.com/v1/lookup?ip={ip_address}&key=YOUR_API_KEY"
    
    response = requests.get(url)
    data = response.json()

    # Immediate rejection criteria
    if data['security']['is_tor']:
        return False, "Tor Exit Node Detected"
        
    if data['security']['is_proxy'] and data['security']['proxy_type'] == 'residential':
        return False, "Residential Proxy Detected"

    # Flag for manual review
    if data['security']['is_vpn']:
        return True, "Review: VPN Detected"
        
    return True, "Clean"

2. ASN Context and Usage Type

Not all Autonomous System Numbers (ASNs) are created equal. Analyzing the usage_type of an ASN is critical for distinguishing bots from humans.

  • ISP/Residential: Traffic originating from Comcast, AT&T, or Deutsche Telekom is generally low risk.
  • Hosting/Data Center: Traffic from AWS, DigitalOcean, or Hetzner is high risk for user login or signup endpoints. Real users do not browse from cloud servers.

If an IP belongs to a Hosting ASN but is not flagged as a known VPN, it is likely a custom crawler or a script runner.

Implementation (Go)

package main

import (
	"encoding/json"
	"fmt"
	"net/http"
)

type IPResponse struct {
	ASN struct {
		Type string `json:"type"` // e.g., "hosting", "isp"
		Name string `json:"name"`
	} `json:"asn"`
}

func CheckASN(ip string, apiKey string) bool {
	url := fmt.Sprintf("https://api.ipasis.com/v1/lookup?ip=%s&key=%s", ip, apiKey)
	resp, err := http.Get(url)
	if err != nil {
		return false
	}
	defer resp.Body.Close()

	var data IPResponse
	json.NewDecoder(resp.Body).Decode(&data)

	// Block hosting providers for user-centric actions
	if data.ASN.Type == "hosting" {
		fmt.Printf("Blocked traffic from hosting provider: %s
", data.ASN.Name)
		return false
	}

	return true
}

3. Geographic Velocity (Impossible Travel)

Static analysis of a single request is insufficient for account takeover (ATO) detection. You must analyze the IP against the user's historical session data.

Impossible Travel occurs when two requests from the same user account originate from geographically distant IPs within a timeframe that makes physical travel impossible.

Formula: Speed = Distance(Geo1, Geo2) / TimeDelta(t1, t2)

If the speed exceeds ~900 km/h (typical airplane velocity), the session should be invalidated.

4. Abuse Velocity and Risk Scoring

Beyond binary flags (Proxy: Yes/No), a composite risk score allows for nuanced thresholds. This score should factor in recent abuse reports associated with the IP subnet.

High-quality IP intelligence APIs provide a pre-calculated risk score (0-100).

  • Score > 80: Auto-block.
  • Score 50-79: Trigger CAPTCHA or 2FA.
  • Score < 50: Allow.

FAQ

Q: How do we handle IPv6 addresses? A: Fraud detection logic should apply equally to IPv6. However, when rate-limiting or blocking, apply rules to the /64 subnet rather than the single IP, as attackers can rotate IPv6 addresses infinitely within a subnet.

Q: What about false positives with VPNs? A: Corporate VPNs are common in B2B contexts. Instead of blocking all VPNs, cross-reference the is_vpn flag with the ASN name. If the ASN is a known corporate entity, lower the risk score.

Q: Should we cache IP reputation responses? A: Yes, but with short TTLs (e.g., 10-15 minutes). IP reputation is dynamic; a residential IP can become part of a botnet and be cleaned up within hours.

Secure Your Infrastructure with IPASIS

Effective fraud prevention requires data precision. IPASIS delivers enterprise-grade IP intelligence with sub-millisecond latency, detecting VPNs, proxies, and high-risk ASNs in real-time.

Get your free API key at IPASIS.com and start filtering malicious traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key