Published:
January 7, 2024
Tutorial
Learn-By-Example
Security Intelligence
Dealing with Malicious Traffic
How to protect your business with ipapi.is?
ipapi.is is a simply meta data API service that provides meta data about
every
IPv4 and IPv6 address that exists. In this blog post, it is explained how the API data can be used most
effectively to protect your business online. There are endless different use cases for ipapi.is, so this blog post will not be able to cover them all.
This tutorial assumes that you already created an account on ipapi.is
and that you are setup with an API key. Regardless of your subscription (even the free plan), you have
access to all the data ipapi.is provides. The only difference between the
various subscription plans is the amount of IP addresses you can query.
Furthermore, the data ipapi.is provides can be understood as a tool belt.
We don't know all your business processes and business needs (or even in what kind of Industry your
business operates). The
only thing that you can rely on is that ipapi.is constantly updates it's
data and tries to be as precise and accurate as possible.
This tutorial explains how to penalize IP addresses based on certain IP metadata. Blocking Internet
traffic is a very sensitive decision and cannot be made easily. ipapi.is
never suggests to permanently ban certain IP ranges. This would be a foolish decision, since IP addresses
are constantly re-assigned and may change ownership over time. Instead, blocking IP ranges should always
be a temporary action. There are various levels of countermeasures that can be employed against
ill-behaving clients. Listed in decreasing levels of punishment, those are all actions you can do to
combat hackers
and spam:
- Most severe - Block the IP address / range from accessing all of your resources
- Severe - Block the IP address / range from using critical resources of your application
- Less Severe - Ask the client to verify a phone number by verifying a SMS code
- Moderate - Ask the client to solve a CAPTCHA challenge
- Friendly - Throttle the number of requests per IP address to a certain limit
Having said that, let's explore the different ways how to combat malicious traffic on your app.
Using Hosting Detection to Combat Malicious Traffic
ipapi.is has very strong hosting / cloud detection support. The API
detects most public hosting and cloud services that are used in the Internet. Good hosting
detection is not a easy problem to solve. It is very easy to
obtain the public IP ranges of most large cloud providers, since those actors such as DigitalOcean or
Amazon
AWS or Microsoft Azure simply publish those IP ranges by themselves. Examples:
But it is much harder to detect bullet proof hosting providers or smaller hosting providers since they
don't necessarily want to publish their IP ranges. Furthermore, smaller services often cease to exist and
new ones emerge daily. There are many thousand hosting providers worldwide and many hosting providers only
operate on a national or regional level.
But why is hosting / cloud detection even relevant for IT security?
This questions can be answered better by asking the reverse question:
Is there any good reason for humans to access your website or application through hosting / cloud
provider IP ranges?
The answer is: Mostly no. Legitimate human traffic originates mostly from residential
ISP's or other organizations such as universities or public institutions or normal businesses.
On the other hand, there are many good reasons why hackers use hosting or cloud providers for their
nefarious actions
instead
of using their home ISP network:
-
They don't want to use their own IP address to be associated with malicious activities, otherwise the
ISP could easily trace the Hacker's IP to their home address and forward this to law enforcement.
Therefore, most cyber criminals never
use their
own network / WiFi.
-
Hackers can purchase many hundreds or even thousands of IP addresses and computing instances from
hosting providers quickly. They can scale their malicious operation very easily by using hosting
providers. If they tried to purchase public IP addresses from their residential ISP, it would rise many
questions and red flags.
-
Many hosting providers simply don't verify the real identity of their customers. This allows the hacker
to remain anonymous whereas the hosting provider has plausible deniability ("We cannot identify every
customer, otherwise our business model is not viable anymore").
-
Their home network is simply too slow and has a small band with to conduct their illicit activities.
Sometimes, good traffic also originates from hosting providers. Some reasons why humans might use hosting
IP
ranges:
- They want to remain anonymous and therefore use a VPN service which is using a hosting provider to
host their VPN servers
-
Some larger organization might use a public proxy that is facing the Internet and all traffic from said
organization is routed over the public proxy which might be operated by a hosting provider.
Even though there are exceptions (false positives), the general rule still holds for most cases:
There is not good general reason why legitimate human traffic originates from hosting / cloud providers.
On the other side, there are many good reasons why cyber criminals use hosting providers to commit their
actions. The broad purpose of hosting providers and cloud providers is to serve traffic to clients. It is
not
normal for hosting provider IP ranges to behave as clients.
How to filter Hosting Traffic with ipapi.is?
This is very easy to achieve. The following JavaScript example shows how to iterate over a list of IP
addresses and
each IP address that belongs to a hosting providers is printed to the console. You can paste this code
into your browser DevTools console or execute it in a NodeJS terminal to see it in action.
const ips = [
'67.202.45.218',
'77.56.51.229',
'133.18.197.52',
'89.187.173.68',
'108.36.82.42',
'45.147.249.251'
];
for (const ip of ips) {
fetch(`https://api.ipapi.is?q=${ip}`)
.then(res => res.json())
.then(res => {
if (res?.is_datacenter) {
const providerName = res?.datacenter?.datacenter;
console.log(`ip ${ip} belongs to the hosting provider "${providerName}"`);
} else {
console.log(`ip ${ip} does not belong to a hosting provider. The IP is owned by the organization "${res.company.name}" with type "${res.company.type}"`);
}
});
}
If you run the above script, you will obtain the following output:
ip 133.18.197.52 belongs to the hosting provider "KAGOYA JAPAN Inc."
ip 45.147.249.251 belongs to the hosting provider "kamatera.com"
ip 67.202.45.218 belongs to the hosting provider "Amazon AWS"
ip 77.56.51.229 does not belong to a hosting provider. The IP is owned by the organization "Liberty Global B.V." with type "isp"
ip 89.187.173.68 belongs to the hosting provider "DataCamp Limited"
ip 108.36.82.42 does not belong to a hosting provider. The IP is owned by the organization "Verizon Business" with type "isp"
Using the is_tor and is_abuser flags to filter traffic
Using IP Geolocation to CAPTCHA-block certain Countries temporarily
ipapi.is is not an advocate of discrimination based on geographic origin,
but sometimes assigning a reputation to IP origin on a country basis is an affective measure against
ongoing cyber attacks.
The idea is simple: If your
app or website experiences heavy attack traffic from certain geographic regions, an effective
countermeasure would be to preemptively ask any IP from that region to solve a CAPTCHA or to verify a
phone number via SMS code.
Let's say hypothetically
IPs from Switzerland and Australia are attacking your website, then one effective counter measure would be
to temporarily make clients from those countries solve an CAPTCHA. This is how you could implement this
logic in an express route on the server side:
// check if an IP address is allowed to proceed directly to login
app.get('/app/login', async (req, res) => {
const clientIP = getIp(req);
fetch(`https://api.ipapi.is?q=${clientIP}`)
.then(res => res.json())
.then(res => {
const countryCode = res?.location?.country_code;
if (['CH', 'AU'].includes(countryCode)) {
return res.redirect('/showCaptcha');
} else {
return res.redirect('/allowLogin');
}
});
});