ipasis
Blog/Security Engineering

How to Stop Bot Signups Using IP-Based Risk Signals

December 20, 20255 min read

Registration fraud remains a critical vector for application abuse. Automated scripts utilize botnets to create thousands of fake accounts for credential stuffing, promotional abuse, or platform manipulation.

While CAPTCHAs provide a layer of defense, they degrade user experience and are increasingly solvable by AI-driven solvers or click farms. A more sophisticated, invisible layer of defense is required: IP Intelligence.

This guide details how to architect a signup flow that evaluates connection metadata—specifically identifying proxies, VPNs, and hosting providers—to reject bad actors before they hit your database.

The Anatomy of an Automated Signup

Sophisticated bot operators rarely use their home connection. To bypass rate limits and geographical restrictions, they route traffic through:

  1. Datacenter IPs: Cheap, plentiful IPs from cloud providers (AWS, DigitalOcean, Hetzner).
  2. Tor Exit Nodes: Anonymized network traffic, highly correlated with malicious intent in signup flows.
  3. Residential Proxies: Infected consumer devices routed to look like legitimate home users.

Your application must be able to distinguish between a legitimate user on a coffee shop Wi-Fi and a script running on a headless server in a data center.

Key Risk Signals to Monitor

When a POST /register request arrives, query an IP intelligence provider like IPASIS to extract specific signals. Do not rely on a single boolean; build a risk score based on the following attributes:

1. Connection Type (ASN Classification)

Legitimate users typically connect via ISPs (Comcast, Verizon, DT) or Mobile Data.

  • High Risk: hosting, datacenter.
  • Medium Risk: business (corporate networks).
  • Low Risk: isp, edu.

If a signup request originates from an ASN belonging to a hosting provider, the probability of it being a human user is near zero.

2. Privacy Detection (VPN/Proxy/Tor)

Detecting the presence of an anonymization layer is critical.

  • Tor: Block immediately. There are valid use cases for Tor, but anonymous account creation is rarely one of them for standard SaaS applications.
  • Public Proxies: Block immediately.
  • VPNs: This requires nuance. A VPN might indicate a security-conscious developer or a bot. Instead of a hard block, trigger a "step-up" challenge (e.g., email verification required before login).

Implementation Strategy

The most efficient architecture places the IP check as middleware or a dedicated service before the database write operation. This prevents database bloat and saves resources on transactional emails.

Python (FastAPI) Implementation Example

The following example demonstrates a middleware approach using the IPASIS API to gate signups.

import httpx
from fastapi import FastAPI, Request, HTTPException

app = FastAPI()
IPASIS_API_KEY = "your_api_key"

async def check_ip_risk(ip_address: str):
    url = f"https://api.ipasis.com/v1/{ip_address}?key={IPASIS_API_KEY}"
    
    async with httpx.AsyncClient() as client:
        resp = await client.get(url)
        data = resp.json()

    # 1. Hard Block: Tor or Datacenter traffic
    if data.get("is_tor") or data.get("connection_type") == "hosting":
        return {"action": "BLOCK", "reason": "High risk network detected"}

    # 2. Soft Block: VPNs
    if data.get("is_vpn"):
        return {"action": "FLAG", "reason": "VPN detected"}

    return {"action": "ALLOW"}

@app.post("/register")
async def register_user(request: Request):
    client_ip = request.client.host
    risk_assessment = await check_ip_risk(client_ip)

    if risk_assessment["action"] == "BLOCK":
        # Log the attempt for security auditing
        print(f"Blocked signup from {client_ip}: {risk_assessment['reason']}")
        raise HTTPException(status_code=403, detail="Registration denied due to suspicious network activity.")

    if risk_assessment["action"] == "FLAG":
        # Proceed but mark account as 'pending_manual_review' or require captcha
        pass

    # Proceed with standard registration logic...
    return {"status": "User created"}

Handling False Positives

Aggressive filtering can lead to false positives. To mitigate this:

  1. Allowlisting: Maintain an allowlist for known corporate partners if you are a B2B application.
  2. Challenge, Don't Just Block: If the IP is a commercial VPN (often used by legitimate users), serve a difficult CAPTCHA or require phone verification (SMS) rather than a 403 Forbidden.
  3. Post-Signup Cleanup: If you cannot add latency to the signup flow, perform the IP check asynchronously. If the IP comes back as hosting, flag the account for immediate suspension.

FAQ

Q: Will checking IP reputation increase latency? A: IPASIS utilizes global edge caching to ensure responses are returned in milliseconds. The impact on user perceived latency is negligible compared to the cost of processing a fraudulent signup.

Q: Can bots bypass IP detection? A: Bots can use residential proxies (hijacked home devices) to appear as ISPs. However, high-quality IP intelligence APIs track the reputation of these IPs. If an IP is behaving anomalously across the network, it is flagged, even if it belongs to a residential ASN.

Q: Should I block IPv6? A: No. IPv6 adoption is increasing globally. Ensure your IP intelligence provider supports full IPv6 lookups to avoid alienating legitimate mobile users.

Secure Your User Base

Stop paying to host bot accounts and skewing your analytics. Integrate IPASIS today to detect proxies, VPNs, and bad actors with a single API call.

Get your free API Key

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key