Real-Time Fraud Detection: Architecting Pipelines with IP Intelligence
Modern fraud detection requires a sub-second response time. Whether preventing account takeovers (ATO) during login or flagging chargebacks at checkout, the window for decision-making is closing. This guide explores the architecture of a high-throughput fraud detection pipeline that leverages IP intelligence without compromising latency.
The Latency Budget
In a standard synchronous blocking flow (e.g., a payment gateway), you typically have a latency budget of 200-500ms before user experience degrades. An IP intelligence lookup typically consumes 50-100ms (network RTT dependent). To maintain throughput, the architecture must handle enrichment concurrently or rely on aggressive caching strategies.
Architectural Patterns
There are two primary integration patterns for IP intelligence:
- Inline Middleware (Blocking): The request is halted while the IP is analyzed. Essential for stopping ATOs at the login gate.
- Sidecar Analysis (Async): The request proceeds, but an event is emitted to a queue (e.g., Kafka/RabbitMQ) for analysis. If fraud is detected, the session is invalidated retroactively.
For high-security endpoints, Inline Middleware is preferred. For browsing or cart additions, Sidecar Analysis is superior.
Implementation: Go Middleware with Fail-Open Logic
Below is a Go implementation of a middleware that enriches incoming requests with IPASIS data. It includes a circuit breaker pattern—if the API times out, we fail open to prevent blocking legitimate traffic during outages.
package main
import (
"context"
"encoding/json"
"net/http"
"time"
)
type IPResponse struct {
IsProxy bool `json:"is_proxy"`
IsVPN bool `json:"is_vpn"`
ISP string `json:"isp"`
}
func FraudCheckMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
clientIP := r.Header.Get("X-Forwarded-For")
// Context with hard timeout of 150ms
ctx, cancel := context.WithTimeout(r.Context(), 150*time.Millisecond)
defer cancel()
riskScore, err := getIPRisk(ctx, clientIP)
// Fail-open logic: If error or timeout, log and proceed
if err != nil {
// Log error asynchronously
next.ServeHTTP(w, r)
return
}
if riskScore > 80 {
http.Error(w, "Transaction declined due to high risk", http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}
The Decision Engine: Weighted Scoring
Raw data (ASN, Geolocation, Proxy Status) must be normalized into a risk score. Do not rely on a single boolean. Construct a weighted scoring system based on your specific threat model.
Python Example: Risk Calculation
def calculate_risk(ip_data: dict) -> int:
score = 0
# Factor 1: Anonymity Tools (High Weight)
if ip_data.get('is_vpn') or ip_data.get('is_tor'):
score += 50
# Factor 2: Hosting/Datacenter traffic (Medium Weight)
# legitimate users rarely browse from AWS/DigitalOcean IPs
if ip_data.get('is_datacenter'):
score += 30
# Factor 3: Geolocation Mismatch (Context Dependent)
# Requires comparing IP geo with Billing Address
if ip_data.get('country_code') != billing_country:
score += 20
return min(score, 100)
Optimization: The Caching Layer
IP reputation is relatively sticky; an IP address acting as a residential proxy node is unlikely to become clean within minutes. To reduce API costs and latency, implement a TTL-based cache (Redis/Memcached).
- Residential IPs: Cache for 1-4 hours.
- Datacenter IPs: Cache for 24 hours (static ownership).
- Mobile IPs: Cache for 15-30 minutes (high churn).
FAQ
Q: How do I handle IPv6? Most modern IP intelligence APIs, including IPASIS, handle IPv6. However, avoid blocking entire IPv6 /64 subnets based on a single bad actor unless necessary, as collateral damage can be high.
Q: What about false positives with VPNs? Legitimate users use VPNs for privacy. Instead of hard-blocking VPNs, trigger a step-up challenge (MFA, CAPTCHA, or email verification) when a VPN is detected.
Q: Should I block all datacenter traffic? Generally, yes, for B2C applications. Real humans do not browse e-commerce sites from an AWS EC2 instance. However, ensure you allow-list ASNs of known partners or search engine bots (Googlebot, Bingbot).
Secure Your Pipeline with IPASIS
Building a robust fraud engine starts with accurate data. IPASIS provides enterprise-grade IP intelligence with detailed ASN, VPN, and proxy detection to fuel your decision engines.