Securing B2B SaaS: Implementing IP Intelligence for Access Control and Fraud Prevention

B2B SaaS platforms are high-value targets for Account Takeovers (ATO) and credential stuffing attacks due to the sensitive data they house. Traditional credential-based authentication is insufficient for modern threat landscapes. Implementing IP intelligence serves as a critical, low-latency signal layer in a Zero Trust architecture.

This guide details how to integrate IPASIS to detect anonymizers, enforce geo-compliance, and calculate impossible travel velocity.

1. Detecting Anonymizers (VPNs, Proxies, Tor)

Attackers rarely expose their true origin. They utilize residential proxies, commercial VPNs, or the Tor network to bypass rate limits and obscure their identity. For a B2B platform, a login attempt originating from a high-risk anonymity network should trigger step-up authentication (MFA) or an immediate block.

Implementation Strategy

Query the IPASIS API during the authentication handshake. Inspect the security object for is_vpn, is_proxy, or is_tor flags.

Python Implementation (Flask Middleware Context):

import requests
from flask import request, abort

def validate_ip_security(ip_address):
    # In production, prioritize getting the real IP from X-Forwarded-For headers
    api_key = "YOUR_IPASIS_KEY"
    url = f"https://api.ipasis.com/v1/{ip_address}?key={api_key}"
    
    try:
        response = requests.get(url, timeout=0.5)
        data = response.json()
        
        security = data.get('security', {})
        
        # Block Tor exit nodes immediately
        if security.get('is_tor'):
            return False, "Access denied: Anonymizer detected."
            
        # Flag VPNs for MFA trigger (soft block)
        if security.get('is_vpn'):
            return False, "MFA_REQUIRED"
            
        return True, "OK"
        
    except requests.exceptions.RequestException:
        # Fail open or closed depending on security posture
        return True, "Service unavailable, failing open"

2. Preventing Impossible Travel (Velocity Checks)

Impossible travel detection compares the geolocation of the current login against the user's previous login. If the physical distance divided by the time delta exceeds reasonable travel speed (e.g., 800 km/h), the session is likely compromised.

Implementation Strategy

Store the last known latitude, longitude, and timestamp in your Redis session store. On new requests, calculate the Haversine distance.

Node.js Implementation:

const axios = require('axios');

async function checkImpossibleTravel(userId, currentIp) {
    const ipData = await axios.get(`https://api.ipasis.com/v1/${currentIp}?key=${process.env.IPASIS_KEY}`);
    const { latitude, longitude } = ipData.data.location;
    
    const lastLogin = await redis.get(`user:${userId}:last_location`);
    
    if (lastLogin) {
        const prev = JSON.parse(lastLogin);
        const distanceKm = getHaversineDistance(prev.lat, prev.lon, latitude, longitude);
        const timeDeltaHours = (Date.now() - prev.timestamp) / 1000 / 60 / 60;
        
        const velocity = distanceKm / timeDeltaHours;
        
        // Threshold: 800km/h (approx commercial flight speed)
        if (velocity > 800 && distanceKm > 100) {
            throw new Error("Impossible travel detected");
        }
    }
    
    // Update last location
    await redis.set(`user:${userId}:last_location`, JSON.stringify({
        lat: latitude,
        lon: longitude,
        timestamp: Date.now()
    }));
}

3. Enforcing Geo-Compliance and Embargoes

B2B SaaS providers must often comply with OFAC regulations or regional licensing agreements. IP intelligence allows you to enforce access controls at the edge or application layer based on ISO 3166-1 alpha-2 country codes.

Go Implementation:

package main

import (
	"encoding/json"
	"net/http"
	"slices"
)

type IPResponse struct {
	Location struct {
		CountryCode string `json:"country_code"`
	} `json:"location"`
}

func checkEmbargo(ip string) bool {
	embargoedCountries := []string{"KP", "IR", "CU", "SY"}
	resp, err := http.Get("https://api.ipasis.com/v1/" + ip + "?key=YOUR_KEY")
	if err != nil {
		return false // Fail closed for compliance
	}
	defer resp.Body.Close()

	var data IPResponse
	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
		return false
	}

	return !slices.Contains(embargoedCountries, data.Location.CountryCode)
}

4. Contextualizing Datacenter Traffic

Legitimate users typically access SaaS platforms via residential or corporate ISPs (ASNs). Traffic originating from hosting providers (e.g., DigitalOcean, AWS, Linode) often indicates automated bots or scrapers.

Use the asn.type field in the IPASIS response. If asn.type equals hosting, consider applying stricter rate limiting or CAPTCHA challenges.

FAQ

Q: Will checking IP intelligence introduce latency?

A: IPASIS is engineered for real-time applications with sub-50ms response times. For critical paths, we recommend asynchronous checks or caching results in Redis for repeat IP visits.

Q: How do we handle legitimate users on corporate VPNs?

A: Distinguish between commercial anonymizers (ExpressVPN, NordVPN) and business ASNs. While both mask IPs, corporate VPNs usually map to known business entities. IPASIS data allows you to whitelist specific corporate ASNs if necessary.

Q: Does this work with IPv6?

A: Yes, IPASIS fully supports IPv6 address resolution and intelligence.

Secure Your Stack with IPASIS

Don't wait for a data breach to upgrade your access control logic. Integrate robust IP intelligence today to filter noise, stop fraud, and ensure compliance.

Get your free API key at IPASIS and start securing your B2B infrastructure.