← Back to context

Comment by mattl

4 days ago

do you have the user agent string of their browser?

did you look up the AS number of the IP addresses they're using?

8 comments

mattl

Reply
june3739  4 days ago

Yeah, the UA is pretty consistent but very generic. It reads as a desktop browser.

We did not look up the AS number. Can you describe that we'd be looking for there? Based on how the address was changing, I assume they're using Tor or some kind of VPN that will obfuscate IP so I didn't spend much time looking at them.

  • bruceallmighty  3 days ago

    Try running some of the IPs through a proxy detection API like https://ipinfo.io/products/proxy-vpn-detection-api or https://proxycheck.io/

    You can't trust those services 100% but you can use them to turn up the level of turnstile/captcha/verification on those clients.

    I'm somewhat concerned that you don't know what you'd be looking for (or to verify Tor) if you're running an ecommerce platform, fraud is an almost certain outcome for any store and merchant providers (Paypal, Stripe, Adyen, etc) want zero to do with helping you solve that (even if you're only embedding their Javascript!)

    • reincoder  2 days ago

      I work for IPinfo. If the OP sends me a list of problematic IP addresses, we would be happy to look into them and send back the parent IP ranges. This way, they can block them on the firewall or through a simple IP-based blocklist.

  • mattl  3 days ago

    Yep or consider just blocking AS numbers of places people typically aren’t purchasing things from such as cheap VPS companies.

    The user agents, can you post those?

    • lun4r  3 days ago

      Check if the client sends the "Accept" and/or "Accept-Language" header. Or check if the order of request headers matches what would be expected from that generic User Agent. You'd be surprised how often they fail to send "Accept-Language", while every "normal" browser does.

  • protocolture  4 days ago

    If the ips all belong to a single AS you could look at blocking just that traffic, or make a complaint to the AS.

    You could also gather geolocation data from the ips and block commonalities.

  • jonasdegendt  3 days ago

    What do the IP addresses belong to? As in, are they data center IPs, or residential addresses?

    Consider blocking all of Tor IPs, known data center ranges and the likes.

  • tallytarik  3 days ago

    You can look up the AS and other info, like detected proxies or VPNs, using the form on https://iplocate.io/what-is-my-ip (disclaimer: I've run this service since 2017).

    If they come from a consistent AS, you can block the AS. If they're using a proxy or VPN, you could try blocking those. If you don't expect to get traffic from hosting providers, you can block where `asn.type == 'hosting'`.