Auth0 Signals API for newbies

The Product Manager dilemma

Detecting (and as result blocking) whether users use services to hide their identity is not an easy decision. Any Product Manager of online services faces this dilemma sooner or later: let the users use the service in the easiest way possible so that they can test the product or tighten the registration conditions and therefore drive away potential customers. Today the general trend is not to ask for more data than necessary to test the service. Once a convinced user wants to become a customer, the service asks for additional information such as billing information and payment methods.

However, this idyllic environment is not what most SaaS providers face daily. The Internet allows very high levels of anonymity for everyone, but there is always a subset of users who use their anonymity to abuse the services.

Coarse-grained vs. Fine-grained strategies

Most traditional firewall solutions block access based on the source IP. As a result, if the source IP is on any firewall blacklist, the client will not be able to access the destination IP of the service.

This all-or-nothing approach makes it impossible for some legitimate users to use a particular API or website endpoint even if their anonymous access is not malicious. Using services that help users maintain their privacy is not fraudulent in itself. But using it to sign up for a SaaS solution with false data and fraudulent payment methods is an abuse.

Therefore, a friendlier approach would be to let users register from non-anonymous networks but allow customers to connect and use the service without restrictions—just fence in the critical parts of your services.

The Auth0 Signals REST API can return in milliseconds if an IP belongs to an anonymous service such as TOR, proxies, or anonymous VPNs so that any Product Manager can decide what to do next.

The first request to the Auth0 Signals API

Before proceeding, we strongly recommend reading the information about how to sign up in Auth0 Signals and obtain an API Key.

We only have to pass in the URL the IP to consult in the endpoint https://signals.api.auth0.com/badip/. All requests must be through a secure connection. In the following example, we will use an IP that is in a TOR exit on the date the article was written (and therefore, the result may vary when testing this code).

curl -i -H "X-Auth-Token: UUID" -X GET https://signals.api.auth0.com/badip/185.220.101.196

or

curl -i -H "X-Auth-Token: UUID" -H "Content-Type: application/json" -X GET https://signals.api.auth0.com/badip/185.220.101.196

Adding the header “Content-Type: application/json” will return the full list names with the IP included.

The response

If you request the API querying for any IP, the service will return several possible responses:

  • 404 – Not found: And this is good because it means the IP was not found in any list. The IP looks good.
  • 200 – OK: And this is not good because it means the IP was found in some lists. The IP is suspicious and not very reputable.
  • 429 – Too many requests: The user has run out of quota. The daily quota is reset every day, and the per-minute quota every 60 seconds.

The service will return a response with the HTTP code:

HTTP/2 200 
date : Mon, 04 May 2020 14:48:54 GMT
content-type : application/json; charset=utf-8
content-length : 255
server : Python/3.6 aiohttp/3.6.2

If we add the “Content-Type: application/json” header then we will also obtain the full list of the blacklists where the IP address was found:

{
   "response":[
      "FAIL2BAN-SSH",
      "BLOCKLISTNET-UA",
      "STOPFORUMSPAM-7",
      "STOPFORUMSPAM-90",
      "BOTSCOUT-30D",
      "STOPFORUMSPAM-1",
      "BOTSCOUT-7D",
      "TOP100-1D-IP",
      "TOR",
      "STOPFORUMSPAM-180",
      "STOPFORUMSPAM-365",
      "BOTSCOUT-1D",
      "STOPFORUMSPAM-30"
   ],
   "type":"badip"
}

As we can see, this IP address was found in several blacklists. Well, it seems the IP it’s also in STOPFORUMSPAM, BOTSCOUT, and FAIL2BAN lists. Not very reputable indeed.

Therefore testing the response HTTP code is the fastest way to check the reputation of the source IP. In case of a 200-OK response, your code should handle the IP as ‘malicious’. A 404-NOT FOUND is a good IP address.

Finally, adding the “Content-Type: application/json” header you can fine-tune what lists are more malicious than others in your code.

What’s next?

Sometimes you need more context to know if an IP address is malicious or not. This is the reason for the IP risk scoring service you can find in Auth0 Signals site or in the Auth0 IP Signals API. This API endpoint can give more hints about the IP address, the network service provide, gelocation and historical information.

1 Like