Stop API Abuse Before It Breaks Your Infrastructure
Credential stuffing, data scraping, enumeration attacks, and rate limit evasion — your API is under constant automated attack. IPASIS adds a real-time IP intelligence layer that identifies and blocks abusive traffic before it hits your business logic.
6 Ways Bots Abuse Your API
Traditional rate limiting catches volume attacks. It misses distributed attacks from thousands of IPs, each sending just a few requests. Here's what you're up against:
Credential Stuffing
Billions of leaked username/password pairs tested against your login endpoint. Distributed across thousands of residential proxy IPs to stay under rate limits. 0.1-2% success rate is enough to be profitable.
Data Scraping
Competitors and data brokers systematically scrape your API responses — pricing, product catalogs, user directories, search results. They use your compute to build their business.
Enumeration Attacks
Attackers probe endpoints to discover valid usernames, email addresses, coupon codes, or API keys. Your "user not found" vs "wrong password" response reveals account existence.
Carding & Payment Fraud
Stolen credit cards tested against your checkout or payment API. Each failed attempt costs you processor fees and pushes you toward chargeback thresholds.
Rate Limit Evasion
Attackers rotate through thousands of IPs (residential proxies, botnets) to stay under per-IP rate limits. Each IP makes 5 requests, but collectively they make millions.
Free Tier Abuse
Bots create hundreds of accounts to exploit your free tier — burning through API credits, free trials, and promotional offers. Each account looks legitimate in isolation.
How IPASIS Prevents API Abuse
Score Every Request
Add one middleware call to your API. IPASIS returns a risk score, connection type (datacenter/residential/mobile), VPN/proxy/Tor status, and abuse history — all in under 20ms.
Block Datacenter Traffic
Real API consumers come from residential ISPs or mobile carriers. Traffic from AWS, GCP, DigitalOcean, and other hosting providers is almost always automated. Block or challenge it.
Detect Proxy Rotation
Even when attackers rotate through residential proxies, IPASIS identifies known proxy network IPs in real-time. The IP may be residential, but if it's currently being used as a proxy, we flag it.
Risk-Based Rate Limiting
Instead of one rate limit for everyone, tier your limits by IP risk: generous limits for clean residential IPs, strict limits for VPNs and proxies, and zero tolerance for known abusive IPs.
Add API Abuse Prevention in 10 Lines
Drop this middleware into your API server. Every request gets scored before hitting your business logic.
import { NextRequest, NextResponse } from 'next/server';
export async function middleware(req: NextRequest) {
const ip = req.headers.get('x-forwarded-for')?.split(',')[0] || req.ip;
const risk = await fetch(`https://api.ipasis.com/v1/lookup?ip=${ip}`, {
headers: { Authorization: `Bearer ${process.env.IPASIS_API_KEY}` },
}).then(r => r.json());
// Block high-risk IPs immediately
if (risk.risk_score > 75 || (risk.is_datacenter && !risk.is_crawler)) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
// Stricter rate limits for medium-risk traffic
if (risk.risk_score > 40 || risk.is_vpn) {
// Apply 10 req/min limit instead of 60 req/min
const key = `ratelimit:strict:${ip}`;
// ... your rate limiting logic
}
// Attach risk data for downstream handlers
const response = NextResponse.next();
response.headers.set('x-ip-risk', String(risk.risk_score));
return response;
}from fastapi import FastAPI, Request, HTTPException
import httpx
app = FastAPI()
client = httpx.AsyncClient()
@app.middleware("http")
async def bot_detection(request: Request, call_next):
ip = request.headers.get("x-forwarded-for", request.client.host).split(",")[0]
resp = await client.get(
f"https://api.ipasis.com/v1/lookup?ip={ip}",
headers={"Authorization": f"Bearer {IPASIS_KEY}"},
timeout=2.0,
)
risk = resp.json()
if risk["risk_score"] > 75:
raise HTTPException(status_code=403, detail="Blocked")
request.state.ip_risk = risk
return await call_next(request)
@app.post("/api/auth/login")
async def login(request: Request):
risk = request.state.ip_risk
if risk["is_datacenter"] or risk["risk_score"] > 40:
raise HTTPException(status_code=403, detail="Suspicious login blocked")
# ... login logicAPI Abuse Scenarios & Solutions
Credential Stuffing on Login API
The Attack
Attackers use millions of leaked credentials from data breaches (available on dark web marketplaces for $0.01 each). They distribute the attack across 50,000+ residential proxy IPs, each testing just 3-5 credentials — far below your per-IP rate limit of 10/min.
The Solution
IPASIS identifies residential proxy IPs in real-time. Even though the IPs belong to real ISPs, they're currently routing proxy traffic. Flag these IPs for strict rate limits (1 login/min) and require additional verification (MFA, CAPTCHA) for any risk score above 30.
Competitive Scraping on Pricing API
The Attack
A competitor scrapes your product catalog and pricing data every hour via your public API. They use a pool of datacenter IPs and rotate User-Agent strings to mimic real browsers. Your infrastructure costs spike while they undercut your prices.
The Solution
IPASIS detects datacenter/cloud hosting IPs instantly. Block unauthenticated API calls from datacenter ranges. For authenticated calls, combine IP risk score with request pattern analysis — a user querying 10,000 products per hour from a DigitalOcean IP isn't comparison shopping.
Free Tier / Trial Abuse
The Attack
Bots create 500+ accounts per day using disposable emails and rotating IPs. Each account gets 1,000 free API calls — meaning 500K free calls/day that cost you real compute and should be paid tier usage.
The Solution
At signup, check the IP with IPASIS. Datacenter IP + disposable email = instant block. VPN + new email domain = require phone verification. Combine IP risk with email intelligence for multi-signal fraud detection. See Prevent Fake Signups for the full playbook.
Why IPASIS for API Protection
Sub-20ms Latency
Fast enough to run on every API call without impacting response times. Edge-deployed infrastructure means consistent low latency globally.
Real-Time Data
IP risk data updated continuously — not weekly database dumps. When a new proxy network appears, it's flagged within minutes, not days.
One API Call
Risk score, VPN/proxy/Tor detection, abuse history, ASN, geolocation, connection type — all in a single REST call. No juggling multiple vendors.
Works with Any Stack
REST API works with every language and framework. Drop-in middleware examples for Node.js, Python, Go, Ruby, PHP, and more.
Fail-Open Design
If IPASIS is unreachable (it won't be), your API keeps working. 2-second timeouts with graceful fallback means zero downtime risk.
Transparent Pricing
1,000 free lookups/month. Pay-as-you-grow pricing with no enterprise minimums or "contact sales" walls. See exactly what you'll pay.
Protect Your API in 10 Minutes
Add real-time IP intelligence to your API with one middleware function. 1,000 free lookups/month. No credit card required.