Every login attempt on your app could be a real user — or a bot running through a residential proxy in another country. If you can't tell the difference, you're leaving the door open to account takeovers, payment fraud, and credential stuffing.
The good news: your users' IP addresses already carry the signals you need. You just need to know how to read them.
The Problem with Legacy IP Databases
Most IP lookup solutions are just databases — static files you download and query locally. MaxMind's GeoIP2, for example, is updated weekly. That means:
- VPN and proxy data is always stale. New exit nodes appear hourly. A weekly snapshot misses most of them.
- No active detection. A database can tell you an IP was a proxy last Tuesday. It can't tell you if it's acting like one right now.
- Risk scoring is guesswork. You get a category tag, not a real-time assessment.
If you're relying on this for fraud prevention, you're working with yesterday's data to stop today's attacks.
What Real-Time IP Intelligence Looks Like
Modern IP intelligence works differently. Instead of querying a static file, you make a single API call that returns everything in one shot:
GET https://api.geoiphub.com/v1/lookup?ip=203.0.113.42
The response gives you geolocation (country, region, city, coordinates, timezone), network data (ASN, ISP, connection type), active VPN/proxy/Tor detection, and a 0–100 risk score — all in one call, in under 50ms.
Here's what a typical response looks like:
{
"ip": "203.0.113.42",
"country": "Germany",
"country_code": "DE",
"city": "Frankfurt",
"asn": 12345,
"isp": "Example Hosting GmbH",
"is_vpn": true,
"is_proxy": false,
"is_tor": false,
"vpn_provider": "NordVPN",
"connection_type": "datacenter",
"risk_score": 78,
"risk_factors": ["vpn_detected", "datacenter_ip", "open_proxy_ports"]
}
That risk_score is the key. It's not a guess — it's computed from 40+ weighted signals including network ownership, open-port probes, blocklist intelligence, and behavioral patterns. And every flag that fires comes with evidence, so you can audit why a decision was made.
Practical Example: Blocking Suspicious Logins
Here's a Python middleware pattern you can drop into any Flask or Django app:
import requests
from functools import wraps
GEOIPHUB_API_KEY = "your-api-key"
def check_ip_risk(ip_address):
"""Query GeoIPHub and return risk assessment."""
resp = requests.get(
"https://api.geoiphub.com/v1/lookup",
params={"ip": ip_address},
headers={"Authorization": f"Bearer {GEOIPHUB_API_KEY}"},
timeout=3 # fail fast, don't block legitimate users
)
if resp.status_code != 200:
return None # API down — fail open, don't lock users out
return resp.json()
def require_trusted_ip(f):
@wraps(f)
def decorated(*args, **kwargs):
client_ip = get_client_ip() # your own helper
result = check_ip_risk(client_ip)
if result and result.get("risk_score", 0) >= 75:
# High risk — require 2FA or block outright
return handle_high_risk(result)
if result and result.get("is_vpn"):
# VPN detected — flag but don't block
log_suspicious_attempt(client_ip, result)
return f(*args, **kwargs)
return decorated
The key design choices here:
- 3-second timeout. If the API is slow or down, you fail open — never block a legitimate user because a third-party service is lagging.
- Risk threshold, not hard blocks. A score of 75 triggers extra verification (2FA), not an outright ban. VPN usage alone is flagged, not blocked — plenty of legitimate users browse through VPNs.
- Log everything. Even when you allow the request, record the signals for post-incident analysis.
Beyond Logins: Other Use Cases
The same lookup pattern works for:
- Payment screening. Compare the IP geolocation against the billing address. A mismatch doesn't mean fraud, but it's a signal worth combining with others.
- Bot detection. Datacenter IPs + open proxy ports + high request volume = almost certainly a bot. You don't need ML for the obvious cases.
-
Geo-compliance. If you need to block certain countries for regulatory reasons, the
country_codefield handles it without a separate database. - Content localization. The timezone and coordinates let you serve localized content without asking the user.
What to Look for in an IP Intelligence API
If you're evaluating options, here's what actually matters:
| Feature | Why it matters |
|---|---|
| Active detection (not just database lookup) | VPNs and proxies change hourly, not weekly |
| Explainable risk score | You need to justify why a user was blocked |
| Every field on every plan | Don't get gated behind enterprise tiers for basic data |
| Sub-50ms response time | You're putting this in your request path |
| Generous free tier | You need room to test before committing |
I've been using GeoIPHub for this — it's a real-time IP intelligence API that checks all those boxes. The free tier gives you 1,500 lookups a day with no credit card, and every plan returns every field (geolocation, VPN/proxy detection, ASN, risk score). Unseen IPs get classified live in under 2.5 seconds, then cached for sub-millisecond retrieval.
The Bottom Line
IP intelligence isn't optional anymore. Bots, credential stuffers, and fraud rings are sophisticated — they rotate through residential proxies, exploit compromised devices, and move faster than any weekly database update can track.
The fix is straightforward: query every login, every checkout, every signup against a real-time intelligence layer. Block or challenge the high-risk ones. Log the rest. It's a few lines of middleware that eliminate an entire class of attacks.
Want to try it yourself? GeoIPHub's free tier gives you 1,500 daily lookups with full data access — no credit card required.
Top comments (0)