IP Geolocation APIs to Minimize your attack Surfaces

In the modern world of cybersecurity, the greatest threats to your business are organized because they’re likely to come from gangs or foreign countries. So, you need to minimize your company’s attack surface to mitigate risk.

The attack surface is represented by any digital point of your company that could be a source of exposure to threats. Here are the attack surfaces and ways to address them:

  • Data, addressed by:
    • Content filtering (blocking employees from visiting risky websites)
    • Email encryption (end to end encryption)
    • Data loss prevention (filtering what can be transferred outside the company)
    • Cloud backup (creating backups to restore operations should your company suffer a catastrophic attack)
  • Devices, addressed by:
    • Antivirus (installed and updated)
    • Patch management (speed of getting patches for your operating system and applications live)
    • Regular vulnerability scans (testing your antivirus, patch management, and passwords)
    • Web server hardening (move from default configurations and disable risky services)
  • People, addressed by:
    • Secure authentication (single sign on or multi-factor authentication)
    • Secure remote working (forcing all remote workers to connect using the company VPN)
    • Define security processes and policies (defining what needs to be protected and how)
    • Provide security training (training employees on how to protect themselves and the company)

An IP geolocation API can use IP look up to source data including:

  • A visitor’s location – time zone, country, city, postal code, latitude/longitude
  • A visitor’s connection
    • ASN (ISP or Internet Service Provider data)
    • Proxies, Virtual Private Networks (VPNs), anonymizers (TOR)

So, geolocation data sourced in real-time by a geolocation API can:

  • Enable content filtering by identifying IP addresses or ranges of IP addresses to be blocked
  • Match IP addresses with known malicious IP addresses
  • Match ASN data with that of known suspicious IP addresses
  • Filter out connections when the user’s location is somewhere your company doesn’t operate
  • Identify IP addresses being used in a DDoS (Distributed Denial of Service) attack and ‘black hole’ them

The inability to source IP addresses and ASN data could create some big unknowns in your attack surfaces. So, here are 6 IP geolocation APIs that could help remove such threats.

Abstract IP Geolocation API

Abstract’s IP geolocator is a lightweight, low latency API that’s scalable to a wide range of use cases. It can provide geolocation data such as ASN, city, ZIP or postal code, and latitude/longitude. It’s capable of identifying both IPv4 and IPv6 addresses.

The free API key is available from the Abstract website. Then, implementation of this REST API will prove easy with the clear documentation. The free plan supports up to 20,000 API requests secured using 256 bit SSL encryption which can be output in XML format. All key functionality, including the capability to detect proxies, TOR and VPNs are available at all product tiers.

ip2location

ip2location’s IP geolocation service can detect geolocation data including country code, city, IP address, latitude/longitude, and ASN. A free IP geolocation trial is available. This is a very granular product where you buy credits and use those to source only the exact information you require.

This means that you’ll need to be clear about all the geolocation data you’ll need. It can detect proxies, but full threat data is in a separate product.

ipinfo

ipinfo is a geolocation API that sources location information including IP address, city, latitude/longitude, calling code, and ASN code. A free version is available, but it’s not clear if this provides all location information.

Paid tiers scale up to include more data and API requests, though ASN is available at the lowest paid tier. It appears that threat detection only becomes available at the second pair tier. 

Maxmind

Maxmind’s GeoIP Web Services API can detect IP address, city, latitude/longitude, and ASN data. It also pairs location data with a confidence rating. Global servers act to maintain fast response times. It’s not clear whether there’s a free or trial version, so you’d need to contact Maxmind to confirm.

Also, of the three paid tiers, the capability to be more accurate than continent and detect TOR only becomes available in the second and top tiers respectively. The full spectrum of threat detection is in a separate product.

ipapi

The ipapi IP geolocation service is a lightweight XML and JSON API. It can source geodata including IP address, city, latitude/longitude and ASN. The free API key can carry out up to 1,000 API requests per month.

However, the free tier isn’t capable of sourcing ASN data. This only becomes available in the first paid tier. A custom Enterprise tier is available. You may need to contact them to clarify at what tier threat detection becomes available.

ipstack

ipstack is a geolocation API that can detect IP address, ASN, latitude/longitude, and more. The free API can process up to 5,000 API requests per month and output location data. However, this doesn’t cover ASN which becomes available in the first paid tier.

Also, it appears that threat detection only becomes available in the second highest tier product: Professional Plus. To confirm, you could contact ipstack directly.

Final words

So, not only can IP geolocation create better customer experiences by displaying localized content, it has a role to play in cybersecurity too. Even if an IP address isn’t already marked as suspicious, IP geolocation can lookup city, latitude/longitude and ASN data to compare it to suspicious IP addresses. If there’s a match, then it’s likely a threat.

However, some IP geolocation services can have their functionality hidden behind different pricing tiers or split off into different products. So, the ideal is to find one that releases as much relevant functionality at all pricing tiers.

Also, as you consider IP geolocation API services, verify how often their database is updated because IP addresses are routinely reassigned to different geographical locations. Also consider whether you need a Service Level Agreement (SLA) to ensure service uptime.