ipasis
Blog/Security Engineering

IP Reputation for SaaS Security: A Practical Guide

January 27, 20267 min read

SaaS architectures are prime targets for automated abuse, ranging from trial farming and credential stuffing to chargeback fraud. While behavioral biometrics and 2FA are critical, IP reputation remains the most efficient first line of defense. It allows security engineers to filter traffic at the edge before it consumes expensive application resources.

The Mechanics of IP Intelligence

IP reputation is not merely a static blocklist. Modern IP intelligence aggregates real-time signals to categorize connectivity:

  • Connection Type: Distinguishing between Residential (ISP), Business, Cellular, and Datacenter IPs.
  • Privacy Detection: Identifying VPNs, TOR exit nodes, and HTTP/SOCKS proxies.
  • Abuse Velocity: Tracking recent malicious activity associated with the ASN or subnet.

For SaaS platforms, Datacenter IPs usually indicate bot traffic, while Residential IPs are standard for end-users. An IP belonging to a hosting provider (e.g., AWS, DigitalOcean) attempting to log in to a consumer account is a high-fidelity signal of an anomaly.

Critical Integration Points

Do not inspect every request. This adds unnecessary latency. Instead, inspect IPs at high-risk state changes:

  1. Registration (Sign-up): Block bulk account creation by restricting Datacenter IPs and known VPNs.
  2. Authentication (Login): Flag logins from unexpected geolocation changes or high-risk ASNs to trigger 2FA.
  3. Checkout/Payment: Cross-reference IP location with billing address to reduce chargebacks.

Technical Implementation

Below are implementation patterns for integrating IPASIS into common backend environments.

Python (FastAPI/Flask Middleware)

In Python environments, middleware can intercept the request before it reaches the route handler. Ensure you parse X-Forwarded-For correctly if behind a load balancer.

import requests
from fastapi import Request, HTTPException

def validate_ip_integrity(ip_address: str) -> bool:
    try:
        # IPASIS lookup
        response = requests.get(f"https://api.ipasis.com/json/{ip_address}?key=YOUR_API_KEY", timeout=2)
        data = response.json()
        
        # Risk Policy: Block TOR and High Risk Proxies
        if data.get('is_tor') or data.get('risk_score', 0) > 85:
            return False
            
        # Business Policy: Block Datacenter IPs on Sign-up
        if data.get('is_datacenter'):
            return False
            
        return True
    except Exception:
        # Fail open to prevent blocking legitimate users during API outages
        return True

Node.js (Express Middleware)

For Node.js, asynchronous lookups should be handled efficiently to avoid blocking the event loop.

const axios = require('axios');

const ipReputationMiddleware = async (req, res, next) => {
  const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress;
  
  try {
    const { data } = await axios.get(`https://api.ipasis.com/json/${ip}?key=${process.env.IPASIS_KEY}`);

    // Check for VPNs used to bypass geo-restrictions
    if (data.is_vpn && data.country_code !== 'US') {
      return res.status(403).json({
        error: 'Access_Denied',
        message: 'VPN usage is restricted for this region.'
      });
    }

    // Attach intelligence to request object for downstream logic
    req.ip_intelligence = data;
    next();
  } catch (error) {
    console.error('IP Reputation Lookup Failed', error);
    next(); // Fail open
  }
};

Go (Golang)

Go's concurrency model makes it ideal for performing these checks with minimal overhead.

package main

import (
	"encoding/json"
	"net/http"
	"time"
)

type IPResponse struct {
	IsProxy     bool `json:"is_proxy"`
	IsCrawler   bool `json:"is_crawler"`
	RiskScore   int  `json:"risk_score"`
}

func checkIP(ip string) (bool, error) {
	client := http.Client{Timeout: 2 * time.Second}
	resp, err := client.Get("https://api.ipasis.com/json/" + ip + "?key=YOUR_KEY")
	if err != nil {
		return true, err // Fail open
	}
	defer resp.Body.Close()

	var data IPResponse
	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
		return true, err
	}

	// Block known crawlers on sensitive endpoints
	if data.IsCrawler || data.RiskScore > 90 {
		return false, nil
	}
	return true, nil
}

Handling False Positives

Aggressive blocking can impact user acquisition. Instead of a hard block (403 Forbidden), consider these soft mitigation strategies based on IP reputation:

  1. Challenge: Serve a CAPTCHA or proof-of-work challenge.
  2. Verify: Force email or SMS verification before allowing the action.
  3. Limit: Apply stricter rate limits to the session.

FAQ

Q: Should I cache IP reputation responses? A: Yes. IPs are dynamic, but they rarely change categorization (e.g., residential to datacenter) within minutes. A TTL of 10-15 minutes (using Redis or Memcached) significantly reduces API costs and latency.

Q: How do I handle IPv6? A: Ensure your networking stack and the intelligence provider support IPv6. Abuse on IPv6 often requires blocking /64 subnets rather than single addresses due to the vast address space.

Q: What is the "Fail Open" strategy mentioned in the code? A: If the IP intelligence API times out or is unreachable, default to allowing the user access ("Fail Open") rather than blocking them. Availability usually trumps security for general SaaS traffic, unless the endpoint is highly sensitive (e.g., admin login).

Secure Your Stack with IPASIS

IP reputation is a low-friction, high-value addition to your security posture. IPASIS provides enterprise-grade detection for proxies, VPNs, and bad actors with sub-millisecond latency.

[Get your free API key] and start filtering malicious traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key