How to Protect Public APIs from Anonymous Traffic: VPNs, Proxies, and Tor
Public APIs are the gateway to your application’s data, making them a primary target for automated abuse. While authentication handles user identity, it does not validate the network identity of the requester. Anonymous traffic—originating from VPNs, residential proxies, Tor exit nodes, and hosting centers—is frequently correlated with credential stuffing, aggressive scraping, and DDoS attacks.
This guide outlines the technical strategies required to filter anonymous traffic at the edge and application layers.
The Anatomy of Anonymous Traffic
To effectively block anonymous traffic, you must categorize the source IP addresses. A binary "allow/block" list is insufficient; you need granular classification:
- Hosting/Data Center IPs: Traffic originating from AWS, GCP, Azure, or DigitalOcean. Unless your API serves server-to-server webhooks, legitimate human traffic rarely originates here.
- Tor Exit Nodes: Anonymity network endpoints. Highly correlated with malicious intent in commercial applications.
- Public Proxies & VPNs: Commercial VPNs used to bypass geo-restrictions or mask identity.
- Residential Proxies: The most difficult vector. These hijack legitimate ISP connections (often via compromised IoT devices) to route malicious traffic.
Strategy 1: IP Intelligence Middleware
The most effective defense is integrating real-time IP intelligence middleware. This involves querying an IP reputation database before processing resource-intensive logic.
Implementation Pattern
Do not query external APIs synchronously within the request loop without caching. This adds latency and creates a bottleneck. Instead, use a "Look-aside" caching strategy with Redis.
Node.js (Express) Implementation
const express = require('express');
const axios = require('axios');
const Redis = require('ioredis');
const redis = new Redis();
const app = express();
// IPASIS configuration
const IPASIS_API_KEY = process.env.IPASIS_KEY;
const ipFilterMiddleware = async (req, res, next) => {
const ip = req.ip;
const cacheKey = `ip_rep:${ip}`;
try {
// 1. Check Cache
const cachedReputation = await redis.get(cacheKey);
if (cachedReputation) {
const data = JSON.parse(cachedReputation);
if (data.block) return res.status(403).json({ error: 'Access Denied' });
return next();
}
// 2. Query IPASIS Intelligence API
const response = await axios.get(`https://api.ipasis.com/v1/lookup?ip=${ip}`, {
headers: { 'X-API-Key': IPASIS_API_KEY }
});
const { is_vpn, is_proxy, is_tor, is_datacenter } = response.data;
// 3. Define Blocking Logic
const shouldBlock = is_tor || is_proxy || is_datacenter;
// 4. Cache Result (TTL: 1 hour)
await redis.set(cacheKey, JSON.stringify({ block: shouldBlock }), 'EX', 3600);
if (shouldBlock) {
return res.status(403).json({ error: 'Anonymous traffic not permitted.' });
}
next();
} catch (error) {
// Fail open or closed depending on security posture
console.error('IP Reputation check failed', error);
next();
}
};
app.use(ipFilterMiddleware);
Strategy 2: ASN Blocking
Autonomous System Numbers (ASNs) identify the network operator. For B2C applications, blocking ASNs associated with hosting providers is a high-leverage move.
If your API is consumed by mobile apps or web browsers, traffic should originate from residential ISPs (Comcast, Verizon, Vodafone, etc.). Traffic from AS16509 (Amazon.com) or AS14061 (DigitalOcean) attempting to login to a user account is a strong indicator of a bot.
Python (FastAPI) implementation for ASN filtering:
from fastapi import FastAPI, Request, HTTPException
app = FastAPI()
# List of prohibited ASNs (Cloud Providers)
BLOCKED_ASNS = {
16509, # Amazon.com
15169, # Google LLC
8075, # Microsoft
14061 # DigitalOcean
}
@app.middleware("http")
async def filter_hosting_providers(request: Request, call_next):
client_ip = request.client.host
# Hypothetical function to get ASN from local DB or IPASIS SDK
asn_info = get_asn_info(client_ip)
if asn_info['asn'] in BLOCKED_ASNS:
# Log the attempt for security auditing
logger.warning(f"Blocked hosting provider traffic from {client_ip}")
return JSONResponse(status_code=403, content={"detail": "Hosting provider traffic forbidden"})
response = await call_next(request)
return response
Strategy 3: TLS Fingerprinting (JA3)
Sophisticated bots often rotate IPs to bypass reputation checks. However, the client software (the bot script) often leaves a static fingerprint during the TLS handshake.
JA3 hashes the parameters of the TLS "Client Hello" packet. If an incoming request claims to be Chrome on Windows but the JA3 hash matches a known Python requests or Golang net/http library, you should flag the request regardless of the IP reputation.
Frequently Asked Questions
Q: Will blocking VPNs affect legitimate users?
A: Yes, it can. Privacy-conscious users often utilize VPNs. Instead of a hard block, consider serving a CAPTCHA or requiring Multi-Factor Authentication (MFA) when a VPN is detected. Reserve hard blocks for Tor nodes and Datacenter IPs.
Q: How do I handle false positives?
A: Implement a "Risk Score" rather than a boolean flag. Aggregate signals (IP reputation + User Agent + Request Velocity). If the score exceeds a threshold, trigger a challenge. Always maintain an allow-list for known partner IPs.
Q: Does this add latency?
A: Network lookups add latency. This is why caching (Redis/Memcached) is mandatory. With proper caching, the overhead is negligible (sub-millisecond for cached hits).
Secure Your Perimeter with IPASIS
Building internal databases of proxy lists and ASN rules is maintenance-heavy and prone to staleness.
IPASIS provides enterprise-grade IP intelligence to detect VPNs, proxies, and Tor nodes in real-time. Our API delivers accurate metadata to help you distinguish between a legitimate user behind a privacy tool and a botnet launching an attack.
Get your API Key and start sanitizing your traffic today.