Detecting High-Risk IPs Using ASN and ISP Data: A Developer’s Guide

In modern web architecture, identifying the origin of an incoming request is a prerequisite for security and fraud prevention. While geographic data (country or city) is useful for localization, it is often insufficient for risk assessment. To truly understand the nature of a connection, developers must look at the Autonomous System Number (ASN) and Internet Service Provider (ISP) data.

By analyzing who owns the IP space and how it is routed, you can differentiate between a legitimate user on a residential fiber connection and a malicious bot originating from a data center.

Detecting highly risky IPs using ASN and ISP data from IP-API service

Understanding ASNs and ISPs in a Security Context

An Autonomous System (AS) is a collection of IP networks managed by a single entity—such as an ISP, a university, or a large technology corporation—that follows a common routing policy. Each AS is assigned a unique identifier known as an ASN.

From a security engineering perspective, ASNs allow you to categorize traffic into "neighborhoods." For example, if you see a surge in login attempts from an ASN belonging to a low-cost cloud provider, the risk profile is significantly higher than traffic originating from an ASN assigned to a major consumer ISP like Comcast or Deutsche Telekom. See Akamai's take on determining risky ASNs.

The Role of ISP Data

While the ASN identifies the routing entity, the ISP data provides the commercial name of the organization providing the connection. Together, these data points allow you to perform Connection Type Analysis. For advanced developers, we suggest maintaining a list having all the ISP names around the world. Whitelist any IP that has ISP mapped in this list.

High-Risk Traffic Patterns

Detecting high-risk IPs involves looking for specific signatures within the ASN and ISP fields. Most malicious activity originates from three specific types of network environments:

1. Data Centers and Hosting Providers

The majority of automated scraping, credential stuffing, and DDoS attacks originate from data centers. Unlike residential users, data center IPs allow for massive scale and high bandwidth at low costs.

2. Public Proxies and VPNs

Users often use VPNs to bypass geo-restrictions or mask their identity. While not always malicious, high-risk transactions (like credit card processing) should be scrutinized if the ISP is identified as a known VPN provider (e.g., NordVPN, Mullvad).

3. "Bulletproof" Hosting

Some ASNs are known for hosting "bulletproof" services that ignore DMCA takedowns and abuse complaints. Security teams often maintain blocklists of these specific ASNs to proactively drop traffic at the edge.

An ASN often represents:

Because ASNs change infrequently, they provide a durable signal for risk classification.

ISP (Internet Service Provider)

ISP data describes the company providing connectivity for the IP address. This can be:

ISP names complement ASN data and are useful for human-readable classification and rule-building.

How ASN & ISP-Based Risk Detection Works

Internally, IP intelligence systems:

  1. Map the IP address to its ASN using BGP routing tables
  2. Associate the ASN with an organization and network type
  3. Classify the ISP (residential, hosting, mobile, enterprise)
  4. Apply risk heuristics or allow/block rules based on:

This approach works for both IPv4 and IPv6, although IPv6 allocations tend to be larger and may represent more mixed usage within a single ASN.

Practical Implementation: Analyzing IP Intelligence Data

To implement this logic, your backend must query an IP intelligence API during the request lifecycle. Below is a practical example of how this data looks and how to interpret it.

The API Request

You can retrieve ASN and ISP data for any IPv4 or IPv6 address using a simple GET request.

curl -X GET "https://api.ip2geoapi.com/ip/8.8.8.8?key=YOUR_API_KEY"

If you don’t have an API key, you can get a free key with 100,000 requests per month from https://ip2geoapi.com

The JSON Response

A comprehensive IP intelligence response includes specific blocks for the network owner and routing information.

{
  "success": true,
  "ip": "8.8.8.8",
  "version": "ipv4",
  "geo": {
    "city": "Chicago",
    "country": "United States",
    "countryCode": "US",
    "region": null,
    "regionCode": null,
    "latitude": 37.751,
    "longitude": -97.822,
    "postalCode": null,
    "geonameId": 6252001,
    "accuracyRadius": 1000,
    "metroCode": null,
    "continentName": "North America",
    "continentCode": "NA",
    "isEuMember": false
  },
  "countryInfo": {
    "name": "United States of America",
    "alpha2Code": "US",
    "alpha3Code": "USA",
    "flag": "https://api.ip2geoapi.com/assets/flags/us.svg",
    "callingCodes": [
      "1"
    ],
    "currencies": [
      {
        "code": "USD",
        "name": "United States dollar",
        "symbol": "$"
      }
    ],
    "languages": [
      {
        "iso639_1": "en",
        "iso639_2": "eng",
        "name": "English",
        "nativeName": "English"
      }
    ]
  },
  "timezoneInfo": {
    "timezone": "America/Chicago",
    "utcOffsetSeconds": -21600,
    "utcOffsetText": "-06:00",
    "utcOffsetHours": -6,
    "isDst": false,
    "abbreviation": "CST",
    "localTime": "2026-01-20T21:30:58-06:00"
  },
  "network": {
    "cidr": "8.8.8.8/32",
    "prefixLen": 32,
    "asn": 15169,
    "asFormatted": "AS15169",
    "asName": "GOOGLE",
    "isp": "Google",
    "organization": "Google",
    "connectionType": "Corporate",
    "mobile": {
      "mcc": null,
      "mnc": null
    }
  },
  "asDetails": {
    "asn": 15169,
    "abuser_score": "0.001 (Low)",
    "descr": "GOOGLE, US",
    "country": "us",
    "active": true,
    "org": "Google LLC",
    "domain": "google.com",
    "abuse": "[email protected]",
    "type": "hosting",
    "created": "2000-03-30",
    "updated": "2012-02-24",
    "rir": "ARIN"
  },
  "security": {
    "isHosting": true,
    "isProxy": false,
    "proxyType": null,
    "isVpn": false,
    "vpnProvider": null,
    "vpnProviderUrl": null,
    "isTor": false,
    "isAnonymous": true,
    "trustScore": 65,
    "riskLevel": "medium"
  }
}

Key Fields for Risk Scoring:

asDetails.type: In this example, the type is "hosting." This is a primary indicator that the request is not coming from a standard home or mobile connection.

asDetails.org: Used to identify the organization.

network.isp: The ISP name.

network.cidr: The specific BGP prefix. This helps in identifying if an entire subnet is involved in an attack.

Example Risk Rule (Pseudo-Code):

if asDetails.type == "hosting" then
    increase_risk_score(50)
end

if network.isp in KNOWN_ISP_LIST then
    allow_request()
end

if asDetails.asn in BLOCKED_ASN_LIST then
    block_request()
end

const response = await fetch(`https://api.ip2geoapi.com/ip/${clientIp}?key=${API_KEY}`);
const data = await response.json();

if (data.asDetails.type === 'hosting' || data.asDetails.type === 'proxy') {
    if (currentAction === 'signup' || currentAction === 'payment') {
        triggerExtraFraudVerification();
    }
}
ASN / ISP Type Action
Residential ISP Allow
Mobile Carrier Allow with rate limits
Hosting Provider CAPTCHA or email verification
VPN ASN Block or deny free features

Leveraging ip2geoapi.com for Intelligence

To build a robust detection system, you need access to accurate, low-latency ASN data. ip2geoapi.com provides a highly optimized infrastructure for exactly this purpose.

While many providers gate their ASN and ISP data behind expensive enterprise tiers, we believe this information is fundamental to web security. We offer a generous free tier of 100,000 requests per month, which is more than enough for most startups and mid-sized applications to implement comprehensive IP filtering.

Our API supports both IPv4 and IPv6, ensuring your security logic remains consistent across the modern web. The response times are engineered for middleware integration, ensuring that adding security checks doesn't degrade your user experience.

Get Started: Register for a free API key and get 100K monthly requests instantly.

Accuracy Limitations and Edge Cases

While ASN and ISP data are powerful, developers should be aware of certain technical nuances:

Performance and Security Considerations

When integrating IP intelligence into your hot path (e.g., checking every incoming request), follow these best practices:

Conclusion

ASN and ISP data provide a reliable, infrastructure-level method for detecting high-risk IP addresses. Unlike volatile IP reputation lists, ASN-based signals are stable, explainable, and suitable for long-term policy enforcement.

By integrating ASN and ISP intelligence into backend systems—using APIs such as ip2geoapi.com—teams can make informed security decisions, reduce abuse, and maintain a balanced user experience without relying on fragile heuristics.

For teams building secure, scalable systems, ASN-aware IP intelligence is a foundational component rather than an optional enhancement.

Vijay Prajapati
About the Author

Vijay Prajapati

I am a backend developer and founder of IP2GeoAPI, specializing in IP geolocation, network intelligence, and API architecture. I focus on building fast, accurate and scalable APIs for developers.

Connect on LinkedIn

Ready to Integrate?

Start using our IP geolocation & intelligence API in minutes. Sign up now and get your FREE API key with 100,000 monthly quota every month — no credit card required.

Join developers worldwide who rely on IP2GeoAPI for speed, accuracy, and reliability.