ipasis
Blog/Security Engineering

Mitigating Free Trial Abuse: A Technical Guide to IP Fingerprinting

January 10, 20267 min read

The Mechanics of Trial Farming

Free trial abuse (or "trial farming") artificially inflates user metrics and degrades service quality for legitimate customers. While email aliasing (e.g., user+test1@gmail.com) is easily caught via regex, sophisticated abusers utilize two primary vectors to bypass identity checks:

  1. Disposable Domains: Ephemeral email services.
  2. IP Obfuscation: Rotating residential proxies, VPNs, or Tor exit nodes to mask the origin.

Traditional rate limiting (Leaky Bucket) fails here because the requests originate from distinct IP addresses. The solution lies in inspecting the metadata of the IP address itself during the registration handshake.

The IP Intelligence Layer

To effectively stop abuse without hurting conversion rates, you must categorize incoming traffic. We are looking for high-risk indicators:

  • Datacenter IPs: IPs belonging to hosting providers (AWS, DigitalOcean). Real users rarely sign up from a datacenter IP.
  • Public Proxies/VPNs: Known anonymizers used to bypass geo-restrictions or bans.
  • Tor Exit Nodes: High probability of malicious intent.

Integrating IPASIS allows you to query these attributes in real-time (<100ms latency) before provisioning resources.

Implementation Strategy

Do not block immediately. Blocking creates a cat-and-mouse game. Instead, implement Dynamic Friction:

  1. Low Risk (Residential/Mobile ISP): Allow frictionless signup.
  2. Medium Risk (Unknown VPN): Require phone verification (SMS).
  3. High Risk (Tor/Datacenter): Block or require immediate credit card payment.

Python Implementation

The following logic demonstrates a standard check using the IPASIS API during the registration route.

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)

def is_high_risk_ip(ip_address):
    # In production, cache this result to Redis to save API calls
    api_key = "YOUR_IPASIS_KEY"
    url = f"https://api.ipasis.com/v1/{ip_address}?key={api_key}"
    
    try:
        resp = requests.get(url, timeout=2.0)
        data = resp.json()
        
        # Check for high-risk attributes
        security = data.get('security', {})
        if security.get('is_tor') or security.get('is_proxy') or security.get('is_datacenter'):
            return True
            
        return False
    except Exception as e:
        # Fail open or closed depending on security posture
        return False

@app.route('/signup', methods=['POST'])
def signup():
    client_ip = request.remote_addr
    
    if is_high_risk_ip(client_ip):
        # Return specific error or challenge
        return jsonify({
            "error": "risk_detected",
            "message": "Please verify via SMS or disable VPN to continue."
        }), 403
        
    # Proceed with registration logic...
    return jsonify({"status": "success"}), 201

Node.js Middleware Example

For Express.js applications, this logic is best situated as middleware.

const axios = require('axios');

const ipRiskMiddleware = async (req, res, next) => {
  const ip = req.ip || req.connection.remoteAddress;
  const API_KEY = process.env.IPASIS_KEY;

  try {
    const response = await axios.get(`https://api.ipasis.com/v1/${ip}?key=${API_KEY}`);
    const { security } = response.data;

    // Block Tor and Datacenter IPs specifically
    if (security.is_tor || security.is_datacenter) {
      return res.status(403).json({ error: 'Signups from this network are restricted.' });
    }

    next();
  } catch (error) {
    console.error('IP Intelligence lookup failed', error);
    next(); // Fail open
  }
};

app.post('/api/register', ipRiskMiddleware, registrationHandler);

Handling Velocity Attacks

Sophisticated attackers use residential proxy networks (rotating clean IPs). Static analysis alone may miss these. Combine IP intelligence with velocity checks:

  1. ASN Velocity: Rate limit signups per Autonomous System Number (ASN). If you see 50 signups from AS1234 in one minute, flag the ASN temporarily.
  2. Fingerprinting: Combine IP checks with browser fingerprinting (Canvas/WebGL) to detect distinct devices behind rotating IPs.

FAQ

Q: Will blocking VPNs hurt legitimate user acquisition? A: It can. This is why we recommend "Dynamic Friction" rather than a hard block. If a user is on a VPN, challenge them with a CAPTCHA or email verification rather than a 403 Forbidden.

Q: How do we handle CGNAT (Carrier-Grade NAT)? A: Mobile networks share IPs among thousands of users. IPASIS identifies is_mobile. You should generally whitelist mobile ISPs for signup blocking to avoid false positives, but apply stricter rate limits.

Q: What is the latency impact? A: The IPASIS API is edge-cached. Lookups typically complete in under 100ms. For non-blocking UX, perform the check asynchronously during the "Email Verification" step rather than the initial "Submit" click.

Secure Your Stream with IPASIS

Stop paying for server resources consumed by bots and trial farmers. IPASIS provides enterprise-grade detection for proxies, VPNs, and risk scoring.

Get your API Key and start filtering traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key