Bot Protection & WAF Rules — Country, ASN, and VPN Signals

Cut malicious traffic 60–90% with three IP signals you probably aren’t using yet.

Most bot traffic is noisy, cheap, and distinguishable at the network layer before it hits your app. Rate-limiting is downstream; IP-layer filtering is upstream. Combine country, ASN (hosting-provider), and VPN/Tor signals into a single WAF rule and your app tier gets materially quieter.

The business problem

Bots cost money three ways:

1. Compute — credential-stuffing, scraping, and LLM-training crawlers drown legit traffic.
2. Noise — fake signups, form spam, and content flooding clog analytics + moderation queues.
3. Abuse — promo-code abuse, inventory-hoarding, review manipulation, SMS-pump fraud.

Meanwhile, almost all of this traffic shares a pattern: it originates from hosting ASNs (AWS, GCP, Azure, DigitalOcean, Hetzner) or from commercial VPN exits. Real humans almost never shop, sign up, or browse your docs from i-0abc123.ec2.internal.

Implementation

Cloudflare Workers (edge)

export default {
  async fetch(req, env) {
    const ip = req.headers.get("CF-Connecting-IP");
    const geo = await fetch(`https://api.ipgeo.10b.app/v1/lookup/${ip}`, {
      headers: { Authorization: `Bearer ${env.IPGEO_KEY}` }
    }).then(r => r.json());

    // Block if: data-center origin on a non-API path
    if (geo.is_hosting && !req.url.includes("/api/")) {
      return new Response("Blocked", { status: 403 });
    }

    // CAPTCHA if: VPN + sensitive path (signup, login, checkout)
    if ((geo.is_vpn || geo.is_tor) && /\/(signup|login|checkout)/.test(req.url)) {
      return Response.redirect("/challenge?reason=vpn", 302);
    }

    return fetch(req);
  }
}

NGINX + Lua (self-hosted WAF)

access_by_lua_block {
  local ip = ngx.var.remote_addr
  local resty_http = require "resty.http"
  local httpc = resty_http.new()
  local res, err = httpc:request_uri("https://api.ipgeo.10b.app/v1/lookup/" .. ip, {
    method = "GET",
    headers = { ["Authorization"] = "Bearer " .. os.getenv("IPGEO_KEY") },
    ssl_verify = true,
  })
  if not res then return end
  local geo = cjson.decode(res.body)
  if geo.is_tor or (geo.is_hosting and geo.asn ~= "AS13335") then
    return ngx.exit(403)
  end
  ngx.ctx.geo = geo
}

Rule library (WAF patterns worth stealing)

Why IP Geo API for this use case

• Three threat-intel fields in the base response (is_vpn, is_proxy, is_tor) — no add-on SKU.
• Hosting / data-center flag (is_hosting) — distinguishes cloud IPs from residential ISPs with ASN-level accuracy.
• ASN + organisation name — lets you maintain short “always-block” and “always-allow” lists (e.g. Googlebot → AS15169 → allow; an abuse-heavy VPS provider → block).
• Bulk lookup — for log-analysis pipelines, one call returns up to 100 IPs.
• Edge-friendly latency — median ≤ 40 ms EU, ≤ 80 ms US. Fits inside Cloudflare Workers, Fastly Compute, Vercel Edge.

Pricing math

Most WAFs cache lookups for 5–60 minutes (IP → decision). A site with 10 M page-views/mo typically does 50–200 K unique-IP lookups per month.

At € 29/mo, you’re paying roughly 1 cloud-VM-hour per 1 million requests protected. It pays for itself the first time it blocks a single credential-stuffing run.

Honest trade-offs

• Residential proxies evade is_proxy. Determined attackers rent residential proxy pools ($50–500/mo). These show up as normal ISP IPs with normal ASNs. If you’re targeted (not just drive-by scraped), add device fingerprinting or behavioral signals.
• Corporate VPNs look like VPNs. Your B2B customers on a work VPN will trip is_vpn. Never block on is_vpn alone — only combine with sensitive-path logic or use it for challenge, not block.
• Googlebot and friends are on hosting ASNs. Maintain an allowlist for AS15169 (Google), AS8075 (Microsoft), AS14618 (Amazon bots), AS13238 (Yandex), AS32934 (Facebook). Our API exposes the ASN; you decide the rule.

Related use cases

• Fraud detection — ./fraud-detection.md
• Geoblocking / compliance — ./geoblocking-compliance.md
• Visitor analytics — ./visitor-analytics.md

Read also

Five narrative deep-dives comparing IP Geo API to the providers most often shortlisted in the IP-geolocation market:

• IP Geo API vs ipinfo.io in 2026: When the EU Alternative Wins (and When It Doesn’t) → — code-level migration sketch + 2026 pricing math at 100K / 1M / 10M req/mo.
• IP Geo API vs MaxMind in 2026: SaaS vs DB Download — Which Stack Wins? → — when GeoIP2 binary still wins, when EU-hosted SaaS wins, and how the math changes at 1M+ req/mo.
• IP Geo API vs ipstack in 2026: HTTPS-on-Free, EU Hosting, and the Security Module Question → — why HTTP-only free tiers break browser-side calls, bundled threat-detection vs add-on Security Module.
• IP Geo API vs ipapi.co in 2026: Free-Tier Generosity vs Predictable Latency → — how the bundled-everything pricing model plays out at 100K / 1M req/mo.
• IP Geo API vs ipgeolocation.io in 2026: Bundled Endpoints, Bundled Threat-Detection, and the EU-Residency Question → — separately-priced Security API vs bundled threat block, USD vs EUR billing, ~600B vs ~1.4KB payload.
• IP Geo API vs IP2Location in 2026: REST-First vs Database-Download — Which Model Wins for Your Stack? → — REST-only managed API vs annual BIN/CSV/MMDB licensing, IP2Proxy bundling cost, EU residency.
• IP Geo API vs DB-IP in 2026: REST-First vs DB-Download — Which EU Vendor Wins for Your Stack? → — attribution-free free tier, EU-edges-only, bundled threat detection vs per-axis subscription stack.

Plus seven hands-on migration guides for teams switching from an incumbent provider — code-level field-shape walkthroughs, edge-cache patterns, and rollback notes:

• Migrate from MaxMind GeoIP2 to IP Geo API (2026 walkthrough) → — drop the weekly .mmdb sync, swap to a REST call with the same field shape, edge-cache patterns + CSV→JSON field map.
• Migrate from ipinfo.io to IP Geo API (2026 walkthrough) → — loc-string parsing, org ASN+name regex split, and Authorization-header edge-stripping gotchas.
• Migrate from ipstack to IP Geo API (2026 walkthrough) → — HTTP→HTTPS scheme flip, security.* empty-vs-populated branch behaviour, connection.asn integer typing.
• Migrate from ipapi.co to IP Geo API (2026 walkthrough) → — per-day rate-limit fragmentation, org ASN+name regex, attribution-backlink scrub for paid-tier customers.
• Migrate from ipgeolocation.io to IP Geo API (2026 walkthrough) → — separately-billed Security API SKU consolidation, apiKey-in-URL log-leak hardening, and latitude/longitude string-vs-number gotchas.
• Migrate from IP2Location to IP Geo API (2026 walkthrough) → — BIN/CSV/MMDB-download decommission, IP2Proxy SKU consolidation, USD-annual-prepay-to-EUR-monthly billing migration, and proxy_type enum-vs-split-booleans gotchas.
• Migrate from DB-IP to IP Geo API (2026 walkthrough) → — MMDB/CSV-download decommission, IP-to-Threat / Anonymous / Datacenter SKU consolidation, CC-BY-4.0 attribution-backlink scrub, and countryCode3 ISO-3 vs ISO-2 gotchas.

Get started

Free tier: 1 000 lookups / day → /pricing. Sign up at https://ipgeo.10b.app/pricing.

Industry deep-dives

• IP Geolocation for Fintech — KYC, Sanctions Screening, Fraud, and EU Residency → — fintech-specific deep-dive: the three IP-control surfaces (KYC country-of-origin, OFAC/EU sanctions, payment-fraud risk), EU-hosted GDPR posture, EUR billing, ASN-level hosting detection, and ≤40 ms median EU-edge latency for 800-1200 ms PSP authorisation budgets.

• IP Geolocation for Ad-Tech — RTB Enrichment, SIVT/IVT Filtering, and Click-Fraud Attribution → — ad-tech-specific deep-dive: the three IP-control surfaces (RTB bid enrichment with ≤40 ms latency budget + OpenRTB 2.6 device.geo/device.ext, SIVT/IVT filtering with IAB-confirmed datacenter ASN block-list, click-fraud post-back attribution + risk scoring), EU-hosted GDPR + ePrivacy + IAB-TCF v2.2 posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for iGaming — Licence-Jurisdiction Enforcement, VPN-Circumvention Scoring, and Self-Exclusion Register Routing → — iGaming-specific deep-dive: the three IP-control surfaces (licence-jurisdiction enforcement with hard-fail-closed posture across MGA/UKGC/KSA/DGOJ/ANJ/ADM/DAS, anti-circumvention scoring with residential-proxy ASN block-list covering Bright Data + Oxylabs + Smartproxy + IPRoyal, self-exclusion register routing to GamStop/CRUKS/ROFUS/Spelpaus/OASIS by IP-country), EU-hosted GDPR + EGBA posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for SaaS Monetization — Geo-Pricing, EU-VAT/DAC7 Tax-Routing, Trial-Abuse Scoring, and OFAC/EAR Export-Controls → — SaaS-specific deep-dive: the four IP-control surfaces (PPP-anchored geo-pricing with ≤40 ms checkout-flow budget, EU-VAT-MOSS + OECD DAC7 tax-routing to the right Stripe/Adyen/Braintree/Paddle tax-id, trial-abuse detection with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, and OFAC SDN + EAR export-controls feature-gating), EU-hosted GDPR posture, bundled threat fields, ASN-level granularity, and predictable EUR billing.

• IP Geolocation for Streaming Media — Content Licensing, VPN-Bypass Defence, CDN POP Steering, and SSAI Ad-Insertion → — Streaming-media-specific deep-dive: the four IP-control surfaces (per-territory licensing enforcement with hard-fail-closed HTTP 451 on ambiguous resolve, VPN/proxy/Tor circumvention defence with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal, CDN POP steering and adaptive bitrate-ladder selection across Akamai/Cloudflare/Fastly/BunnyCDN/Lumen, and SSAI ad-insertion targeting with sports blackout windows via Haversine GPS-distance), ≤40 ms session-init budget on EU edges, studio-grade 24-month audit trail, threat fields on every plan, ASN-level granularity, and EU-hosted GDPR + AVMSD (Directive 2018/1808) posture.

• IP Geolocation for E-commerce — Tax-Jurisdiction Routing, BIN-vs-IP Carding Defence, PPP-Adjusted Currency Display, and Shipping-Zone Fulfilment Routing → — E-commerce-specific deep-dive: the four IP-control surfaces (EU OSS distance-sales 27-rate map + UK VAT 20% + CH-VAT 7.7% + NO MVA 25% + US Wayfair 13-state nexus + CA GST/HST per-province + AU/SG/IN/BR/JP GST/ICMS/JCT with sanctions hard-stop on IR/KP/SY/CU/BY/RU/MM/VE at checkout; BIN-vs-IP carding + refund-fraud 6-factor weighted score at place-order with residential-proxy ASN block-list across Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3; PPP-adjusted 7-tier pricebook on first paint with VPN/proxy fall-back to BIN-billing-country; 9-warehouse fulfilment routing FRA/AMS/MAD/MIL/DOV/IAD/LAX/DEL/SIN with DDP/DDU duty pre-calc and lithium/aerosol/prescription destination-gates), ≤40 ms checkout-first-paint budget, DAC7/GDPR/EU OSS audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Healthcare — Cross-Border Telehealth Licensing, HIPAA PHI/EPHI Access Geofencing, EU Patient-Data Residency w/ Schrems II Routing, and Cross-Border Pharma + DEA Schedule Gating → — Healthcare-specific deep-dive: the four IP-control surfaces (cross-border telehealth licensure match at consult-init w/ US IMLC 41-state partial + CA/FL/NY/TX independent + EU MRPQ Directive 2005/36/EC + DE Bundesärztekammer + NL BIG + FR ONM + UK GMC + HTTP 451 hard-fail-closed on jurisdiction-mismatch + NO_RECIPROCITY hard-stop on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO; HIPAA 45 CFR §164.308(a)(4) PHI/EPHI access geofencing w/ clinical-ASN allowlist Epic/Cerner/Allscripts/Mayo/MGH/Cleveland/Kaiser + residential-proxy ASN reject Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + home-office BAA-attested workstation allowlist + risk_score < 30 soft-allow; EU patient-data residency w/ GDPR Art. 9 special-category + EDPB Recommendations 01/2020 supplementary technical measures + Schrems II SCC flag for US-shard + routing to 6 EHR shards EU-FRA/EU-AMS/UK-LON/US-IAD/CA-YYZ/AU-SYD w/ VPN/proxy → fall-back to EU-FRA highest protection; cross-border pharma + controlled-substance gating w/ DEA Schedules I-V + Ryan Haight Act §3 in-person-eval requirement for telemed Rx + EU Falsified Medicines Directive 2011/62/EU originator-country audit + per-country bans for cannabis/CBD/psilocybin/MDMA/kratom), ≤40 ms consult-init budget, HIPAA/GDPR Art. 9/Schrems II/DEA/EU FMD audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.

• IP Geolocation for Travel + Hospitality — Geo-Rate Enforcement + Dynamic-Pricing per Booking Origin, OTA Carding + ATO Defence, OFAC/EU CONSILIUM/UK OFSI Sanctions Screening at Booking-Init, and GDS + EU OSS / DAC7 Reporting → — Travel/hospitality-specific deep-dive: the four IP-control surfaces (geo-rate enforcement + dynamic-pricing per booking origin w/ 8-tier pricebook T1 EU-Lux 1.00x → T8 Africa 0.75x + VPN/proxy/Tor fall-back to T2_NA_LUX anti-arbitrage + SANCTIONS_HARDSTOP on IR/KP/SY/CU/BY/RU/MM/VE/AF/SO HTTP 451 at search-render + BIN-billing-country pin at checkout; OTA carding + ATO defence at booking checkout w/ corporate-travel-platform ASN allowlist AS-CWT/Amex GBT/BCD/FCM/Egencia/Navan/Amadeus/Sabre fast-lane + consumer-OTA reject on VPN/Tor/relay + residential-proxy ASN block Bright Data/Oxylabs/Smartproxy/IPRoyal/Tier3 + 6-factor carding score threshold ≥70; OFAC + EU CONSILIUM + UK OFSI sanctions screening at booking-init w/ sanctioned-origin hard-stop regardless of session residency + EU 6AMLD compelled-disclosure on VPN/proxy + US-Cuba 31 CFR §515 General License gate + luxury-segment AML thresholds yacht €10K / private jet €20K / villa €5K/night / heli €3K + PEP screen + source-of-funds eval; GDS + inventory routing + EU OSS / DAC7 reporting w/ Amadeus EU/UK + Sabre US/CA + Travelport APAC + 27 EU-MS destination-VAT rates DE 19% → HU 27% + NO 25% + CH 8.1% + UK 20% + DAC7 Directive 2021/514 reportable-platform-operator evidence-log 5-year retention + Jan-31 lead-MS annual report), ≤40 ms search-render budget, OFAC/EU CONSILIUM/UK OFSI/DAC7/EU OSS/HOTREC audit posture, bundled threat fields on every plan, ASN-level granularity, and EUR billing.