How APIs Can Block Suspicious Web Visitors Based on IP Address

We don't want to allow signups from VPNs or proxies. Visitors could be using a VPN to mask their real location and bypass location restrictions. A visitor using TOR, which hides their real location and identity, might be trying to perform malicious activity on your site. So how can we block these users?

Most IP lookup services have some kind of threat database. These services allow us to check whether an IP is anonymous (using a TOR, a VPN, or a proxy), or a threat, such as a known spammer or hacker. We can use one of these services to detect malicious users and block them from signing up.

At ipdata, we have a database of 600 million malicious IPs which is updated every 15 minutes. Maxmind provide a GeoIP2 Anonymous IP Database which can detect anonymous IPs, but it doesn't currently detect malicious IPs. AWS WAF has IP reputation lists which can be used to block anonymous users and IPs which have been flagged by Amazon's internal threat intelligence.

Detecting threats with ipdata

The ipdata threat API can be used by making a simple GET request with the user's IP address, such as https://api.ipdata.co/1.43.247.217/threat?api-key=test. It responds with an object containing all the information we need to make a decision about the user. Are they a known attacker or abuser? They're a threat! Are they using TOR or a proxy? They're anonymous.

{
  "is_tor": true,
  "is_proxy": false,
  "is_anonymous": true,
  "is_known_attacker": false,
  "is_known_abuser": false,
  "is_threat": false,
  "is_bogon": false
}

There's another field in there too – is_bogon. This indicates that the IP has not been allocated or delegated by IANA or any RIRs, and is almost certainly from an attacker. Bogon IPs also include reserved private addresses, such as 192.168.0.0/16.

Blocking sign ups

Now that we know how to detect VPNs, proxies, and threats, let's actually block these IPs from signing up using a small Node.js application that involves the Express.js. and Axios frameworks (both easily installed via NPM).

Here's a simplified signup form in HTML, which should be saved to your web installation (or other HTML source directory) as signup.html.

<form action="/signup" method="POST">
  <input name="email" type="email" placeholder="Email address" />
  <input name="password" type="password" placeholder="Password" />
  <input type="submit" />
</form>

Now, we can build our Node application to serve the signup form and handle new signups.

const express = require("express");
const app = express();
const axios = require("axios");

// Get an ipdata API Key from here: https://ipdata.co/sign-up.html
const IPDATA_API_KEY = "test";
const getIpData = async (ip) => {
  const response = await axios.get(
    `https://api.ipdata.co/${ip}/threat?api-key=${IPDATA_API_KEY}`
  );
  return response.data;
};

// Serve the signup page
app.get("/signup", (req, res) =>
  res.sendFile("./signup.html", { root: __dirname })
);

// Handle a signup request
app.post("/signup", async (req, res) => {
  const ip = req.connection.remoteAddress;
  const ipdata = await getIpData(ip);
  const { is_threat, is_anonymous } = ipdata;
  if (is_threat) {
    res.status(403).send("Blocked IP");
    return;
  }
  if (is_anonymous) {
    res.status(403).send("VPNs are not allowed");
    return;
  }

  // Success! create the user...

  res.status(200).send("Welcome!");
});

app.listen(8000);

When a POST request is received by our server, we call the ipdata API to get additional metadata for the user's IP. Using that, we block any IPs which are deemed to be a threat, along with anonymous IPs.

When testing it all together, it works like this:

How APIs Can Block Suspicious Web Visitors Based on IP Address - testing it all together

 

Do you really need to?

Blocking anonymous traffic to your site is likely to catch out some genuine users. There are many valid reasons to use a VPN – some users may have privacy concerns, or they might have restricted Internet access due to their government, ISP, or work. Blocking anonymous traffic should be a last resort and is usually only necessary if there are some legal restrictions, such as media streaming rights or advertising. For these reasons, anonymous blocking will often be combined with blocking users from certain countries.

Blocking threats, however, is a clear and easy way to reduce fraudulent activity on your website. Don't just block malicious IPs from signing up – stop them from accessing your site all together. Your real users shouldn't notice at all, but the security of their accounts will be strengthened.

Conclusions

Blocking users from signing up using a VPN or proxy is easy, and there are plenty of options. If you want to stop all traffic from any VPN, consider blocking the requests using a firewall, like AWS WAF. Whilst blocking threats is a quick-win for your security, blocking anonymous traffic might impact legitimate users – potentially resulting in lost orders or frustrated users – so use it with caution and only where needed.

 

Comments (0)