ipasis
Blog/Security Engineering

Mitigating Account Takeovers (ATO) using Real-Time IP Reputation

December 25, 20256 min read

Account Takeover (ATO) attacks remain the dominant vector for fraud, primarily driven by credential stuffing and brute-force campaigns. While multi-factor authentication (MFA) provides a robust defense, it adds friction to the user experience. A silent, backend verification layer utilizing IP reputation is the most effective method to filter malicious traffic before it reaches your core authentication logic.

This guide details how to leverage IP intelligence to detect compromised nodes, residential proxies, and VPNs during the login handshake.

The ATO Attack Vector

Sophisticated ATO attacks bypass standard rate limiting by rotating through thousands of IP addresses. Attackers utilize:

  • Residential Proxies: IPs assigned to legitimate ISPs, often hijacked via malware.
  • Data Center Proxies: High-volume cloud IPs used for rapid enumeration.
  • Tor Exit Nodes: Anonymized traffic routing.

Traditional WAF rules based on request velocity often fail here because the request volume per IP is low. The signal lies in the reputation and metadata of the IP, not just the frequency.

Integration Strategy

To prevent ATOs without degrading UX, inject an IP reputation check immediately after the TLS handshake but before password hashing comparison.

Decision Logic:

  1. Clean IP: Allow standard login.
  2. Suspicious IP (VPN/Public Proxy): Enforce MFA or CAPTCHA.
  3. High-Risk IP (Tor/Abuse History): Silent block or fake success response.

Implementation: Python Middleware

The following Python snippet demonstrates how to verify an incoming request's IP using the IPASIS API before processing credentials. This example assumes a Flask or Django context.

import requests
from flask import request, abort

IPASIS_API_KEY = 'your_api_key'

def check_ip_reputation(ip_address):
    try:
        response = requests.get(
            f"https://api.ipasis.com/v1/{ip_address}",
            headers={"X-Api-Key": IPASIS_API_KEY},
            timeout=0.5  # Fail open on timeout to prevent latency bottlenecks
        )
        
        if response.status_code == 200:
            return response.json()
        return None
    except requests.exceptions.RequestException:
        # Log error and fail open
        return None

def login_handler():
    client_ip = request.remote_addr
    ip_data = check_ip_reputation(client_ip)

    if ip_data:
        # Block requests from Tor or high-risk proxies
        if ip_data.get('is_tor') or ip_data.get('risk_score') > 85:
            abort(403, description="Access Denied")
        
        # Enforce 2FA for data center IPs or moderate risk
        if ip_data.get('is_datacenter') or ip_data.get('risk_score') > 50:
            return trigger_2fa_flow()

    # Proceed with standard authentication
    return process_credentials()

Node.js Implementation

For Node.js environments, use an asynchronous approach to minimize event loop blocking.

const axios = require('axios');

async function validateIp(ipAddress) {
  const apiKey = process.env.IPASIS_KEY;
  
  try {
    const response = await axios.get(`https://api.ipasis.com/v1/${ipAddress}`, {
      headers: { 'X-Api-Key': apiKey },
      timeout: 500
    });

    const { is_proxy, is_vpn, risk_score } = response.data;

    // Hard block criteria
    if (risk_score > 90) {
      throw new Error('High risk IP detected');
    }

    // Soft block / Challenge criteria
    if (is_proxy || is_vpn) {
      return { action: 'CHALLENGE' };
    }

    return { action: 'ALLOW' };

  } catch (error) {
    // In production, log error and default to ALLOW to avoid outages
    console.error('IP Check Failed:', error.message);
    return { action: 'ALLOW' };
  }
}

Critical Signal Metrics

When configuring your security policies, prioritize these IPASIS fields:

  • is_crawler: Detects automated bots impersonating user traffic.
  • connection_type: Distinguish between residential (lower risk) and hosting (higher risk for login endpoints).
  • abuse_velocity: Indicates if the IP has been recently flagged in threat intelligence feeds.

FAQ

Q: Will checking IP reputation introduce latency? A: API lookups should be non-blocking or strictly time-boxed (e.g., <500ms). Caching results for valid IPs (e.g., via Redis) for 15-30 minutes further reduces latency and API costs.

Q: How do we handle false positives with VPNs? A: Many legitimate users utilize VPNs for privacy. Do not block VPNs outright. Instead, treat them as a trigger for step-up authentication (MFA/OTP) rather than a hard denial.

Q: What about mobile carrier NATs? A: Mobile IPs often have lower reputation scores due to shared usage. Rely on the is_mobile flag provided by IPASIS to adjust risk thresholds for cellular networks.

Secure Your Perimeter with IPASIS

Stop chasing IP rotations manually. Automate your threat detection with enterprise-grade data.

Get your free IPASIS API Key and start filtering malicious traffic today.

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key