ASNs** (AWS, Hetzner, DigitalOcean) are disproportionately represented in malicious activity relative to their size, making type: HOSTING a high-signal prior for automated attacks.
- Single-call enrichment reduces vendor roundtrips by ~50%, cutting latency and API costs while maintaining a composite risk score.
- Sweet Spot: Combining ASN
type classification with threat_score, is_vpn, and is_proxy flags in one request delivers enterprise-grade fraud signals without the overhead of multiple data providers.
Core Solution
The solution implements a composite risk-scoring engine that normalizes ASN metadata with real-time security signals. It is designed as drop-in Express middleware with caching, fail-open fallback logic, and graceful error handling.
Architecture Decisions:
- Use
ipgeolocation.io /v3/ipgeo endpoint to fetch ASN and security data in a single call.
- Cache responses by IP to reduce API calls and latency.
- Implement fail-open logic: if the API times out or returns an error, default to a neutral risk score to avoid blocking legitimate traffic.
- Normalize signals into a 0β100 risk score using weighted thresholds.
API Fetch Implementation:
curl -s "https://api.ipgeolocation.io/v3/ipgeo?\
apiKey=${IPGEO_API_KEY}&\
ip=49.12.0.1&\
include=security&\
fields=asn,security.threat_score,security.is_vpn,security.is_proxy,security.is_tor,security.is_residential_proxy"
Response (trimmed to the fields we care about):
{
"ip": "49.12.0.1",
"asn": {
"as_number": "AS24940",
"organization": "Hetzner Online GmbH",
"type": "HOSTING",
"country": "DE",
"domain": "hetzner.com",
"rir": "RIPE"
},
"security": {
"threat_score": 80,
"is_vpn": false,
"is_proxy": false,
"is_tor": false,
"is_residential_proxy": false
}
}
Node.js Implementation:
// fetchIpIntel.js
// Returns ASN + security data for a given IP address
const API_KEY = process.env.IPGEO_API_KEY;
const BASE_URL = 'https://api.ipgeolocation.io/v3/ipgeo';
async function fetchIpIntel(ip) {
const params = new URLSearchParams({
apiKey: API_KEY,
ip,
include: 'security',
fields: 'asn,security.threat_score,security.is_vpn,security.is_proxy,security.is_tor,security.is_residential_proxy',
});
try {
const res = await fetch(`${BASE_URL}?${params}`, {
signal: AbortSignal.timeout(1
Risk Scoring & Middleware Logic:
The calculateRiskScore() function maps ASN types and security flags to a normalized score. ASN type acts as a prior, while security signals adjust the baseline. Fail-open caching ensures pipeline resilience.
// riskMiddleware.js
const cache = new Map();
const CACHE_TTL = 3600000; // 1 hour
function calculateRiskScore(data) {
if (!data) return 50; // Default neutral on failure
let score = 0;
const { asn, security } = data;
// ASN type weighting
if (asn.type === 'HOSTING') score += 30;
if (asn.type === 'BUSINESS') score += 5;
if (asn.type === 'EDUCATION') score += 10;
// Security signal weighting
score += (security.threat_score || 0) * 0.3;
if (security.is_vpn) score += 20;
if (security.is_proxy) score += 25;
if (security.is_tor) score += 35;
if (security.is_residential_proxy) score += 30;
return Math.min(100, Math.max(0, score));
}
module.exports = function ipRiskMiddleware(req, res, next) {
const ip = req.ip || req.connection.remoteAddress;
const cached = cache.get(ip);
if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
req.riskScore = cached.score;
return next();
}
fetchIpIntel(ip).then(data => {
const score = calculateRiskScore(data);
cache.set(ip, { score, timestamp: Date.now() });
req.riskScore = score;
next();
}).catch(() => {
req.riskScore = 50;
next();
});
};
Pitfall Guide
- Treating ASN Type as a Binary Block Rule: Blocking all
HOSTING traffic will lock out developers testing from cloud VMs, monitoring services, and legitimate SaaS webhook callbacks. Use ASN type to adjust risk scores, not as an absolute deny.
- Ignoring Fail-Open Logic: IP intelligence APIs can rate-limit or timeout. Without graceful fallbacks, your authentication pipeline will block legitimate users during provider outages. Always default to a neutral risk score on fetch failure.
- Overweighting Single Signals: Relying solely on
threat_score or is_vpn without ASN context leads to high false positives. A residential proxy (is_residential_proxy: true) from an ISP ASN requires different handling than a cloud proxy from a HOSTING ASN.
- Skipping Response Caching: ASN and security classifications rarely change for a given IP. Querying the API on every request wastes budget and increases latency. Implement TTL-based caching (e.g., 1 hour) to optimize cost and performance.
- Misinterpreting BUSINESS/EDUCATION Types: Corporate and university networks are often assumed "safe," but they are frequent sources of compromised endpoints and internal scanning. Treat them as medium-context signals that require correlation with threat scores and session behavior.
- Neglecting Rate Limits & API Tiers: ASN data may be free, but security signals (
include=security) typically require paid tiers. Unthrottled parallel requests will quickly exhaust quotas. Implement request queuing or batch processing for high-traffic endpoints.
- Static Thresholds in Dynamic Environments: Fraud tactics evolve. Hardcoding risk score thresholds (e.g.,
>70 = block) without periodic review leads to drift. Implement dynamic thresholding based on historical conversion and fraud rates.
Deliverables
- π Fraud Detection Blueprint: Architecture diagram showing the integration of ASN enrichment, risk scoring engine, caching layer, and Express middleware. Includes data flow for fail-open fallback and cache invalidation strategies.
- β
Implementation Checklist: Step-by-step verification for API key configuration, environment variable setup, middleware registration, cache TTL tuning, and threshold calibration.
- βοΈ Configuration Templates: Pre-built
.env examples, Express middleware registration snippets, and risk score threshold matrices for staging vs. production environments. Includes curl test scripts for validating ASN/security payload parsing.
