IP Intelligence playbook
Block credential stuffing and fake signups at the IP layer
Credential stuffing waves are the cheapest, highest-volume attack on most consumer products. Lists of leaked passwords get cycled against login endpoints from datacenter farms or commercial-proxy fleets at hundreds of attempts per second. Behavioural defenses help but cost CPU and latency on every request. Filtering at the IP layer first is dramatically cheaper.
This playbook hooks the IP Intelligence API into the /login and /signup handlers. Hosting-ASN traffic gets a challenge (captcha or step up). Severity-2 traffic gets a hard 401 with no error leak about which step failed. Residential-proxy traffic gets stricter per-/24 rate limits because that is how the pools rotate.
Try it now
Free tier returns the same shape. Sign in for a key, replace the placeholder, watch the response.
curl -H "Authorization: Bearer dk_live_..." \ "https://dnschkr.com/api/v1/ip?address=$REQ_IP" # At the /login or /signup boundary: # data.asn.type === "hosting" -> challenge (captcha or step-up) # data.recommendation.severity >= 2 -> hard block # data.is_residential_proxy === true -> stricter rate limits per /24
What this catches
The vast majority of credential-stuffing volume comes from a small number of hosting ASNs. Tor exit nodes and public proxies appear in the long tail. Commercial residential-proxy networks (Bright Data, Smartproxy, Oxylabs) are the hardest of the three categories but still trackable via ASN signal where the egress network is publicly known. Each detection ships with detection_sources[] so the security team can audit a specific block decision later.
SDK-residential pools (EarnApp, Honeygain) cannot be flagged at the IP layer. Their egress IPs belong to real residential ISPs and look identical to legitimate user traffic. For that segment, behavioural signals at the auth handler (typing cadence, browser fingerprint stability, prior session anchor) remain the right defense.