protect your business online with ipapi.is
Published: January 7, 2024
Last Modified: January 20, 2023
Tutorial Learn-By-Example Threat Intelligence Filtering Malicious Traffic

How to Filter Malicious Traffic with ipapi.is

ipapi.is is an easy-to-use API service that provides metadata for every public IPv4 and IPv6 address on the Internet. This blog post explains how various aspects of the API can be used to protect your app or website in the most effective way. There are endless examples of how ipapi.is can be leveraged to secure your business, so this blog post will not cover them all.

This tutorial assumes that you have already created an account on ipapi.is and that you are set up with an API key. Regardless of your subscription plan (even the free plan), you have access to all the data ipapi.is provides. The only difference between the various subscription plans is the number of IP addresses you can query per day.

Furthermore, the data provided by ipapi.is can be understood as a toolkit. We may not know all your business processes and needs, or in what industry your business operates. And honestly, ipapi.is does not need to. Our guarantee is to keep ipapi.is constantly updated and to strive for precision and accuracy with the data we offer. However, it is not the goal of the API to accommodate every business use case.

This tutorial explains how to penalize clients based on certain IP metadata. Blocking Internet traffic by IP addresses is a very sensitive decision and should not be made lightly. ipapi.is never suggests permanently banning certain IP ranges. This would be unwise, as IP addresses are constantly reassigned and may change ownership over time. Instead, blocking IP ranges should always be a temporary measure. There are various levels of countermeasures that can be employed against ill-behaving clients. Listed in decreasing order of severity, the following list contains actions you can employ to combat malicious traffic on your app or website:

  • Most Severe - Block the IP address/range from accessing all of your resources.
  • Severe - Block the IP address/range from using critical resources of your application.
  • Less Severe - Ask the client to verify a phone number by verifying an SMS code.
  • Moderate - Ask the client to solve a CAPTCHA challenge.
  • Friendly - Throttle the number of requests per IP address to a certain limit.

Having said that, let's explore the different ways to combat malicious traffic that threatens your app or website.

Example 1 - Using Hosting Detection (is_datacenter) to Combat Malicious Traffic

ipapi.is has very strong hosting/cloud provider detection support. The API detects most public hosting and cloud services currently operating on the Internet. Good hosting detection is not an easy problem to solve. It is quite straightforward to obtain the public IP ranges of most large cloud providers, as services such as DigitalOcean, Amazon AWS, or Microsoft Azure publish their IP ranges on their websites:

However, it is much harder to detect niche hosting providers or smaller hosting providers since they don't necessarily publish their IP ranges. Furthermore, smaller hosting services often cease to exist and new ones emerge over time. There are many thousands of hosting providers worldwide, many of which only operate on a national or regional level.

But why is hosting/cloud detection even relevant for IT security?

This question can be better answered by asking the reverse:

Is there any good reason for humans to access your website or application via hosting/cloud provider IP ranges?

The answer is: Mostly no. Legitimate human traffic usually originates from residential ISPs or other organizations such as universities, public institutions, or normal businesses.

On the other hand, there are many good reasons why hackers use hosting or cloud providers for their nefarious actions instead of using their home ISP network:

  • They don't want their own IP address to be associated with malicious activities, as the ISP could easily forward the hacker's home address to law enforcement. Therefore, most cybercriminals never use their own network/WiFi to conduct cybercrime.
  • Hackers can quickly purchase many hundreds or even thousands of IP addresses and computing instances from hosting providers. They can easily scale their malicious operations using cloud providers. If they tried to purchase public IP addresses from their residential ISPs, it would raise many questions, concerns, and red flags.
  • Many hosting providers simply don't verify the real identity of their customers. This allows hackers to remain anonymous, while the hosting provider has plausible deniability in case illicit activity is conducted ("We simply cannot identify every customer via passport verification, otherwise our business model wouldn't be viable anymore").
  • Another reason why cybercriminals resort to using hosting providers is that their home network is simply too slow to conduct their illicit activities.

Sometimes, benign traffic also originates from hosting providers. Some reasons why humans might use hosting IP ranges for their web surfing:

  • They want to remain anonymous and therefore use a VPN service which uses a hosting provider to host their VPN servers (However, many websites such as banks or streaming services don't want their customers to hide behind VPNs either).
  • Some larger organizations might use a public proxy facing the Internet, and all traffic from said organization is routed over the public proxy, which might be operated by a hosting provider.

Even though there are exceptions (false positives), the general rule still holds for most cases:

There is no good general reason why legitimate human traffic originates from hosting/cloud providers. On the other hand, there are many good reasons why cybercriminals use hosting providers to commit their actions.

The broad purpose of hosting providers and cloud providers is to serve traffic to clients. It is not normal for hosting provider IP ranges to behave as clients themselves.

How to Filter Hosting Traffic with ipapi.is

This is very easy to achieve. The following JavaScript example shows how to iterate over a list of IP addresses, identifying each one that belongs to a hosting provider. This code can be pasted into your browser's DevTools console or executed in a NodeJS terminal to see it in action. 

const ips = [
  '67.202.45.218',
  '77.56.51.229',
  '133.18.197.52',
  '89.187.173.68',
  '108.36.82.42',
  '45.147.249.251'
];

for (const ip of ips) {
  fetch(`https://api.ipapi.is?q=${ip}`)
    .then(res => res.json())
    .then(res => {
      if (res?.is_datacenter) {
        const providerName = res?.datacenter?.datacenter;
        console.log(`ip ${ip} belongs to the hosting provider "${providerName}"`);
      } else {
        console.log(`ip ${ip} does not belong to a hosting provider. The IP is owned by the organization "${res.company.name}" with type "${res.company.type}"`);
      }
    });
}

If you run the above script, you will obtain the following output: 


ip 133.18.197.52 belongs to the hosting provider "KAGOYA JAPAN Inc."
ip 45.147.249.251 belongs to the hosting provider "kamatera.com"
ip 67.202.45.218 belongs to the hosting provider "Amazon AWS"
ip 77.56.51.229 does not belong to a hosting provider. The IP is owned by the organization "Liberty Global B.V." with type "isp"
ip 89.187.173.68 belongs to the hosting provider "DataCamp Limited"
ip 108.36.82.42 does not belong to a hosting provider. The IP is owned by the organization "Verizon Business" with type "isp"

You can now adapt the above example and use it in your own IT infrastructure to filter out clients that belong to hosting providers.

Example 2 - Using is_tor and is_abuser Flags to Filter Bad Traffic

ipapi.is provides two boolean flags that are very helpful in filtering malicious traffic:

  • is_tor - Indicates whether the IP address is part of the TOR network. The TOR network provides anonymity to its users and, for that reason, is extensively used by cybercriminals. IPs from the TOR network are often used to commit cybercrimes.
  • is_abuser - Specifies whether the IP address has committed abusive actions in the recent past (last couple of days). "Abusive actions" is a deliberately broad term that includes a wide range of illicit online behavior such as spam mail, bad bots, scanning, brute force logins, and more. IP addresses classified as abusive are safe to be blocked.

By blocking all clients where one of those two boolean flags is set to true, the likelihood of conducting a false positive block is very low. The following code illustrates how you can require clients for whom is_tor or is_abuser is true to solve a CAPTCHA. If the client is "clean," they can proceed directly to the signup form. 


app.get('/app/signup', async (req, res) => {
  const clientIP = getIp(req);
  fetch(`https://api.ipapi.is?q=${clientIP}`)
    .then(res => res.json())
    .then(res => {
      const shouldShowCaptcha = res?.is_tor || res?.is_abuser;
      if (shouldShowCaptcha) {
        return res.redirect('/showCaptcha');
      } else {
        return res.redirect('/allowSignup');
      }
    });
});

Example 3 - Using IP Geolocation to Specify Which Users Have to Solve a CAPTCHA

ipapi.is does not advocate discrimination based on geographic location. However, sometimes assigning a reputation to the country associated with an IP is an effective measure against ongoing cyber attacks.

The idea is simple: if your app or website experiences heavy attack traffic from certain geographic regions, an effective countermeasure could be to preemptively require any IP from that region to solve a CAPTCHA or to verify a phone number via SMS code.

For example, let's hypothetically say massive amounts of IPs from Switzerland and Australia are attacking your website. Further, suppose the attacker is not using hosting providers and possesses high reputation IP addresses, making it difficult to cluster the ongoing attack based on another parameter. Then, an effective countermeasure would be to temporarily require clients from those countries to solve a CAPTCHA, even if it means penalizing clients who are not malicious (a false positive). This is how you could implement this logic in an express route on the server side: 


// check if an IP address is allowed to proceed directly to login
app.get('/app/login', async (req, res) => {
  const clientIP = getIp(req);
  fetch(`https://api.ipapi.is?q=${clientIP}`)
    .then(res => res.json())
    .then(res => {
      const countryCode = res?.location?.country_code;
      if (['CH', 'AU'].includes(countryCode)) {
        return res.redirect('/showCaptcha');
      } else {
        return res.redirect('/allowLogin');
      }
    });
});

Example 4 - Using the is_proxy and is_vpn Flags

ipapi.is also provides the is_proxy and is_vpn flags with the following meanings:

  • is_proxy - This field determines whether the IP address is a proxy.
  • is_vpn - This field determines if the IP address is a VPN.

These boolean flags are very useful if you want to prevent anonymous clients from accessing your business.

Let's assume you are running an online survey business and your company offers market surveys from a specific geographic region. Some survey takers might attempt to commit fraud by misrepresenting their true geographic origin. For example, a fraudulent survey taker from Bangladesh might claim to be in the USA by using a VPN located in the US.

Without proxy or VPN detection, it would be impossible to identify this deception. However, in cases where a business needs to enforce the true geographic origin of their clients (and where ID verification is too expensive a process), proxy and VPN detection with the is_proxy and is_vpn fields becomes a viable solution.

Conclusion

ipapi.is does not provide an exhaustive list of methods to filter bad traffic from your apps. Instead, ipapi.is offers various metadata and grants you the freedom to analyze and block malicious traffic from your applications in the way that best suits you.

The API is not a complete IT security solution. However, the data ipapi.is provides can be instrumental in making complex and robust IT security decisions!