Leveraging ASN and ISP Intelligence for Advanced Fraud Mitigation
Beyond Simple IP Blacklisting
Reliance on static IP blacklists is insufficient for modern threat modeling. Attackers utilize rotating residential proxies and ephemeral cloud instances to bypass basic rate limiting and reputation checks. To increase detection accuracy, security engineers must analyze the infrastructure layer: the Autonomous System Number (ASN) and Internet Service Provider (ISP).
This guide outlines how to programmatically utilize ASN and ISP data to identify anomalies in user traffic, specifically focusing on distinguishing legitimate residential traffic from hosting/data center traffic often used in automated attacks.
The Semantics of ASN and ISP Data
Every IP address belongs to an Autonomous System (AS) managed by a specific organization. Understanding the type of organization is critical for risk scoring.
1. Hosting vs. Residential Context
Legitimate user traffic typically originates from:
- Residential ISPs (e.g., Comcast, AT&T, Deutsche Telekom).
- Mobile Carriers (e.g., Verizon Wireless, T-Mobile, Vodafone).
Malicious automation (credential stuffing, scraping, DDoS) typically originates from:
- Hosting Providers (e.g., DigitalOcean, AWS, OVH, Hetzner).
If a user attempts a high-value action (checkout, login) from an IP belonging to a hosting provider, the risk probability increases significantly. While VPNs are legitimate for privacy, they are anomalous for localized e-commerce transactions.
2. ASN Velocity Tracking
Sophisticated attackers rotate IPs to evade single-IP bans. However, they often rotate within the same subnet or ASN. By tracking request velocity at the ASN level, you can identify distributed attacks that single-IP rate limits miss.
Technical Implementation
Below are implementation strategies for integrating IP intelligence into your application logic.
Python: Risk Scoring Middleware
The following Python snippet demonstrates a function that queries IP metadata and calculates a risk score based on the ISP type and ASN organization.
import requests
def get_ip_risk_score(ip_address):
# Mock API call to IPASIS or similar intelligence provider
response = requests.get(f"https://api.ipasis.com/json/{ip_address}")
data = response.json()
score = 0
# Factor 1: ISP Type Analysis
# Hosting/Data Center IPs are high risk for user logins
if data.get('is_crawler') or data.get('is_proxy'):
score += 50
org = data.get('org', '').lower()
asn_type = data.get('asn', {}).get('type', 'unknown') # e.g., 'hosting', 'isp'
if asn_type == 'hosting':
score += 30
elif asn_type == 'business':
score += 10
# Factor 2: ASN Reputation (Hardcoded example list)
high_risk_asns = [16276, 14061] # Example: OVH, DigitalOcean
if data.get('asn', {}).get('asn') in high_risk_asns:
score += 20
return score, data
# Usage
ip = "203.0.113.45"
risk, metadata = get_ip_risk_score(ip)
if risk > 60:
print(f"BLOCK: High risk traffic from {metadata['org']}")
elif risk > 30:
print("CHALLENGE: Serve 2FA or Captcha")
else:
print("ALLOW: Legitimate traffic")
Node.js: ASN-Based Rate Limiting
In a Node.js/Express environment, use middleware to track request counts per ASN using Redis. This prevents a botnet using 1,000 different IPs from the same provider from overwhelming your endpoints.
const redis = require('./redis-client');
const axios = require('axios');
async function asnRateLimiter(req, res, next) {
const ip = req.ip;
// 1. Fetch IP Intelligence
const geoResponse = await axios.get(`https://api.ipasis.com/json/${ip}`);
const asn = geoResponse.data.asn.asn;
if (!asn) return next();
// 2. Define Limits (e.g., 100 requests per minute per ASN)
const key = `rate_limit:asn:${asn}`;
const currentUsage = await redis.incr(key);
if (currentUsage === 1) {
await redis.expire(key, 60);
}
if (currentUsage > 100) {
return res.status(429).json({
error: "Too Many Requests",
message: "Traffic volume from your network provider is too high."
});
}
next();
}
Handling Edge Cases
University and Enterprise Networks
Traffic from universities or large corporate VPNs often resolves to business ASNs. Strict filtering on non-residential ISPs may generate false positives here. It is recommended to whitelist specific ASNs related to partner organizations or universities if your user base is academic.
Dual-Stack (IPv4/IPv6)
Ensure your logic handles IPv6. Mobile carriers heavily utilize IPv6. An IPv6 address from T-Mobile is a strong indicator of a legitimate mobile user, whereas an IPv6 address from a cloud provider is likely a bot.
FAQ
Q: How often does ASN data change? A: While IP ownership changes frequently, ASN allocations are relatively stable. However, ISPs often reallocate subnets between residential and business tiers. Real-time lookups are superior to local databases for this reason.
Q: Can attackers fake their ASN? A: No. The ASN is determined by BGP routing tables. While an attacker can spoof an IP (UDP spoofing), they cannot complete a TCP handshake (needed for HTTP requests) with a spoofed IP/ASN.
Q: Should I block all Hosting ASNs? A: Not necessarily. If your application offers an API intended for server-to-server communication, blocking hosting ASNs will break functionality. For user-facing login forms or payment gateways, blocking or challenging hosting ASNs is a standard security practice.
Integrate IPASIS for Real-Time Precision
Building internal databases for ISP classification is maintenance-heavy and prone to staleness. IPASIS provides a robust, low-latency API delivering real-time ASN, ISP, and proxy detection data.
Stop guessing. Start detecting.