IP Risk Checker

VPN/proxy detection methods: 1) IP database lookups (IPHub, IPQualityScore) - maintain lists of known VPN/proxy IPs. 2) Port scanning (common proxy ports: 8080, 3128, 1080). 3) Reverse DNS (VPN providers have identifiable PTR records). 4) Timing analysis (increased latency). 5) WebRTC leak detection (reveals real IP). Use cases: prevent fraud, enforce geo-restrictions, detect account sharing. Limitation: residential proxies harder to detect. Combine multiple signals.

Threat intelligence score quantifies IP risk level (0-100). Calculated from: malware C2 activity, botnet membership, scanning behavior, spam sources, phishing sites, abuse reports, threat feed presence. High score (80+) = block, medium (40-79) = challenge (CAPTCHA, MFA), low (<40) = allow. Sources: AlienVault OTX, AbuseIPDB, VirusTotal, Shodan. Update scores daily. Use with context - recently reassigned IPs may have stale reputations. Combine with behavior analytics.

Tor exit node detection: 1) Query Tor Bulk Exit List (check.torproject.org). 2) DNS blackhole lookup (ip.dnsel.torproject.org). 3) Commercial APIs (IPQualityScore, IPHub). 4) Maintain local Tor exit node list (updated hourly). Exit nodes change frequently - update lists regularly. Use cases: prevent anonymous abuse, enforce access policies, fraud prevention. Consider: Tor used for legitimate privacy (journalists, activists). Balance security with privacy rights. Option: allow but require additional verification.

IP geolocation maps IPs to physical locations using routing data, registrar info, user-reported data. Accuracy: country (95-99%), city (55-80%), coordinates (~50km radius). Providers: MaxMind GeoIP2, IP2Location, ipdata. Data includes: country, region, city, coordinates, ISP, ASN, timezone. Used for: geo-blocking, fraud detection (billing vs IP mismatch), analytics, content localization. Limitations: VPNs/proxies show VPN location, mobile IPs imprecise, privacy concerns. Update databases monthly.

IP risk checking prevents credential stuffing (automated login attempts using breached passwords). Defenses: 1) Block high-risk IPs (data centers, botnets, Tor). 2) Rate limiting per IP. 3) CAPTCHA for suspicious IPs. 4) MFA for all accounts. 5) Credential breach monitoring. 6) Device fingerprinting. 7) Behavioral analysis (login patterns). 8) Bot detection (F5, DataDome). Block: IPs with high threat scores, proxy/VPN usage during login, abnormal login velocities. Monitor login attempts by IP.

Autonomous System Number (ASN) identifies network ownership (ISP, cloud provider, organization). Examples: AS15169 (Google), AS16509 (Amazon AWS), AS8075 (Microsoft Azure). Use for: identifying cloud/hosting IPs (higher fraud risk), ISP reputation, ASN-level blocking (block entire malicious networks), threat intelligence correlation. Check ASN: whois lookup, IP databases. High-risk ASNs: bulletproof hosting providers, known botnet operators. Whitelist: legitimate cloud services (verify API keys), corporate VPNs.

Check frequency depends on risk tolerance and traffic: Real-time checking: user logins, transactions, API calls (check every request). Cached checking: cache results 1-24 hours for performance (reduce API costs). Batch checking: nightly scans of access logs, firewall rules updates. Continuous monitoring: security tools (SIEM, firewall) with hourly threat feed updates. High-risk environments: check every request + update block lists hourly. Balance: API rate limits, latency, cost. Use multi-tier caching (Redis) for high-volume sites.