
API providing threat analysis of any given IP address - dontbesalty
https://fraudguard.io/
======
finnn
I operate two non-exit tor relays. They have both return risk_level: 4 with
the "threat" being "tor_tracker". What threat is posed by a non-exit tor
relay? What does the "tracker" part of "tor_tracker" mean?

~~~
hieving
Exit node:
[https://atlas.torproject.org/#details/463DC28452F676B7A6597A...](https://atlas.torproject.org/#details/463DC28452F676B7A6597ACA6DF7C6934F598806)
[https://fraudguard.io/?ip=5.196.143.10](https://fraudguard.io/?ip=5.196.143.10)

Non-exit node:
[https://atlas.torproject.org/#details/EF4BD6E8E5817690B79C67...](https://atlas.torproject.org/#details/EF4BD6E8E5817690B79C6760898C7EFCCB6C2D30)
[https://fraudguard.io/?ip=108.61.199.202](https://fraudguard.io/?ip=108.61.199.202)

It does not seem to make a distinction between exit and relay nodes, they are
both deemed "tor_tracker".

~~~
Karunamon
A number of large vendors like Barracuda and Tipping Point do this. A friend
of mine one time found that they were unable to log in to pay their TV bill a
few days after setting up a relay node. After he made enough noise about this,
their engineers investigated, and sure enough, Tipping Point flags a relay
node as suspicious for no good reason, and the IPS was blocking his traffic.

On a side note, companies _really don 't like to deal with people who can't
access their site_. Being told over and over "It's your ISP", even when on a
conference call with said ISP (and nevermind how difficult it was to get
_that_ set up with someone who understands the problem) was infuriating.

------
feross
Most of this data is available for free download via an organization called
FireHOL. See [http://iplists.firehol.org](http://iplists.firehol.org)

It's not clear what this adds on top of FireHOL.

------
kolanos
If the creators are on HN, curious to know what sets this apart from other
threat intel services like IBM X-Force, ThreatConnect, VirusTotal, Carbon
Black, etc.

~~~
fragfester
I'm Ryan, one of three devs that built FraudGuard.io. The answer is basically
price. We do EVERYTHING ourselves and try to keep price extremely fair. We
have plans that start at $10 /month and we also have a small free-for-life
plan too.

Thats the best answer. The secondary part is we want a simple way for any dev
off the street to integrate with api.fraudguard.io in 5 minutes. Imagine you
are a small company and you want to limit back office access to you CMS to
only IPs outside of Germany. That takes just a couple minutes. Or you want to
allow back office access to you CMS from everywhere but you want to decrease
the session timeout to only 30 minutes if the originating IP is a tor node or
public proxy, etc.

We just got out of beta (literally last night) but so far thats the majority
of use cases that we've seen so far.

~~~
encoderer
Hey Ryan, I applaud the free tier and think it's important, but I'd caution
that it can be awfully hard to make a business-sustaining revenue on $10/mo. I
think it's smart to start low and compete on price, but I think there's value
here, it's why there are larger competitors in the space, and if you can climb
that value chain and raise prices along the way you will be better off for it.

From a merchandising POV, you could consider moving up-market by building new
more powerful features and giving them only to the $25 plan. Then, rename the
plans to match who you expect to buy them. People identify with who they are
more naturally than they do a number of requests per month.

Also, congrats on shipping.

Edit: Also, pre-fill the form with the visitors own IP -- or better yet just
display the results?

~~~
fragfester
Ya this is really great info. Thanks for the feedback. We are still looking at
pricing as this is only day one but we're on it.

This one I'm moving up the list - I like the idea "better yet just display the
results of visitors IP"

~~~
sasas
ipinfo.io do this well

------
AnkhMorporkian
I like this, but I have to tell you what I've been looking for in one of these
services for forever.

I help develop a fairly popular webgame. One of our biggest headaches is
people who are evading bans by using VPNs (public or not), VPSes, etc.
Although we've outright blocked some large chunks of IPs (AWS, for instance),
I've never seen a good service that identifies those specific blocks.
Sometimes I go manually digging in the case of serious ban evaders, looking up
the owners of specific IP blocks, but boy it'd be convenient if there was a
service out there that did that.

~~~
wtbob
> One of our biggest headaches is people who are evading bans by using VPNs
> (public or not), VPSes, etc. Although we've outright blocked some large
> chunks of IPs (AWS, for instance)

Please don't do this. It's perfectly legitimate to route one's traffic through
other nodes one owns.

Please consider other ways of dealing with banned players — perhaps make
creating an account slow and/or costly.

~~~
AnkhMorporkian
We've examined all the options. We already use browser fingerprinting, and
that takes care of a good percentage of it, but for the truly committed there
are really only two options: Blocking all VPNs, or using supercookies. I'm
actually a bigger fan of the supercookie solution, but one of the other
developers is staunchly against that. It's an ongoing battle.

The problem with the slow/costly account thing is that one of the big draws of
our game is that there's no registration necessary. You can jump in a game
instantly by pressing 'Play Now', and you just get named 'Some Ball
1/2/3/4/etc' and tossed with the registered players.

~~~
IshKebab
What do the evil Some Balls do that you want to avoid? I've never noticed an
bad behaviour tbh (other than just being not very good).

Tagpro is awesome btw.

~~~
AnkhMorporkian
Mostly really nasty chat and working against own team. You don't see too much
of it nowadays as we're very proactive about that, and have blocked all the
major slurs from being typable.

Always glad to find a player in the wild! We're working hard on Next and hope
to have the beta open soon.

------
michaelaiello
Where do you get your data for botnet compromised IPs?

------
sword_master
"Our Team of Engineers track public IPs across a wide scope of popular botnet
networks."

How do you track botnets (along with the other collection you do) with a team
of three? How many botnets are being tracked and which malware families? This
is an especially dubious claim when coupled with another statement you made:
"We do not rely on external sources at this time".

~~~
nexact
I bet he is using maltrail and firehol.

~~~
fragfester
We do use Maltrail along with a whole lot else. You don't have experience with
it perhaps? Are you currently employed or angry at your employer?

~~~
nexact
:-) I built my own API and it is automatically updated every 2 hours. I'm
using threatminer to do cross-validation on sampled values.

------
ComodoHacker
Just had fed a bunch of IPs from one of my server's auth.log and got the same:

    
    
      "country": "China",
      "threat": "unknown",
      "risk_level": "1"
    

I'm not surprised but with increasing China's activity on the scene we have to
do something with it.

------
charonn0
I plugged in a few IPs from stopforumspam.com and they all had the same "risk
level" as my own IP: 1.

~~~
fragfester
I'm Ryan, one of three devs that built FraudGuard.io. Honestly we have a lot
more work to do specifically in spam. With that being said, spam is the least
requested collector so far by our users. Just to share in beta we asked some
of our heavy users and about 90% of our users preferred our focus was on
honeypot collection, spam was less than 2%.

So heres how it works now. We do not rely on external sources at this time.
The reason why, because our traffic is so high that no external source at
least that we've found will serve our users traffic.

For example stopforumspam.com limits API requests to 20,000 per day. I haven't
checked our stats today but during our beta (which ended yesterday) we served
more than 20,000 API requests per hour. So even with huge cache durations set
its very hard to rely on outside sources so instead we run all our own spam
collectors, using our own domains, etc.

------
justinsaccount
Correction, API providing:

502 Bad Gateway

nginx/1.8.1

~~~
mtmail
Same here. And [https://www.fraudguard.io/](https://www.fraudguard.io/) uses
the wrong SSL certificate (that of analytics.crynix.com)

~~~
singlow
Probably the site was taken down by removing the vhost config. So the domain
is getting the default vhost and its certificate.

------
kevincox
I have a couple of questions:

\- Why can there be only one risk type per IP? What if an IP is a honeypot and
botnet. It would make sense to me to have a list of threats or a different
value for each.

\- Why is the threat level a string? Is it meant to be compared for equality
only?

Also your docs need a lot of work. I would like to know specifically what
threat types there are currently, what their slug is and what specifically
they mean.

~~~
fragfester
Thanks for the feedback, completely agreed. We are redoing the entire docs
page to give more info on all responses plus some other generic stuff/updates.

Regarding only one risk type per IP. We set the severity to the max level
logged in our system. If it's a 3, 4 and 5 based of attack type, frequency of
attack, method of collection, etc it'll be the highest severity logged. We
might look at integrating this differently in v2.

------
0x0
Tried putting in quite a few IP addresses from /var/log/apache/access.log that
have been trying to hit up "wp-config.php" and "phpmyadmin" and whatnot. All
of them came back as risk_level 1.

~~~
fragfester
There are a lot of IPs out there. Unlike Pokemon we can't catch them all. It
varies but we run less than 50 honeypot nodes in 15 different countries
(because I pay for them out of the kindness of my heart each month as we are
not yet profitable) right now that would collect this kind of data. Our goal
is if we get more people to signup we will add more nodes. Obviously more
nodes = more data.

~~~
mkagenius
Why not price a little higher, lower it when you get profits?

~~~
fragfester
We never considered it I guess. Like someone else already mentioned there are
other options out there but their prices are insanely ridiculous. Starting at
$10 /month the three of us devs/creators feel like a competitive price will
keep big and small customers happy hopefully long-term.

~~~
MichaelGG
Look up articles on pricing plans. $10 is really low and makes your product
seem less valuable (if it's so good why are you almost giving it away?). Cheap
and free customers are often not worth the headache. You probably want the
entry-level plan to be at least $39, $49 or so. Maybe more. Offer a free
trial, and let that be enough for the cheap customers.

I don't think there are 100s, let alone 1000s, of low-maint customers that are
thinking "hmm, this abuse issue is really a problem on my site, consuming at
least an hour a month of my time, but I can't afford $49 to fix it".

Think about it, you're asking for $25 for a million checks. Typically that'll
be sign-ups or some sort of interaction. So their volume is probably what,
10-50x times that. Even if they used your API for checking before anon
comments, that means they're getting millions of pageviews/visits per month.
If such a site can't afford a, I dunno, $199 plan, maybe they aren't worth
dealing with.

If you really think you need a charity-level plan, perhaps include a contact
link for "open source and educational projects".

Someone will probably point out some wildly successful freemium model. Suppose
that's possible too. But even then you'll want to make a large gap between
free and premium. No one wants to deal with $10/month business customers.

~~~
fierarul
You know, I remember some old Tom & Jerry cartoon where an older mouse was
explaining capitalism. How a factory that sells great volumes is able to
reduce its margins and make even more total profit. Something like that.

So... what is wrong with a "low" price?

Must pricing nowadays be all game-theory where you want to extract the maximum
amount without any regard for underlying value or actual costs?

It's almost a meme on HN: "you are asking too little!" "Raise your prices,
double your consulting rate!" "Businesses don't even notice bills under
$4999!"

I'm from Romania where my "business" cell phone (with 1GB internet and
basically unlimited calls) is costing me $7/month. My build server on AWS used
to cost me $25/month. Nowadays I use my own machines so I only pay for some
leftover storage and I get a whooping $1.50/month bill on my card. I pay
$39/month for accounting.

No matter how great a startup believes their thing is, a business has to cover
a lot of expenses and 100 super-duper-products to purchase do add up. At some
point it might even make sense to say: yes, I'll have an employee waste 1 hour
each month on this problem instead of adding another vendor/product/contract
to the list.

~~~
MichaelGG
1 million checks a month. If the problem rate is even 1%, that's 10,000
"problems" that need to be resolved. At 1/minute, that's a full-time person on
the job! If that's not worth $$$$, the business isn't in the target audience.

And for people using this for fraud, it's gonna take more than a minute, and
there might be even more damage. For instance, avoiding chargebacks on 0.1%
would more than pay for itself. And that's a good selling point: "Our product
will save you $x% a month". It makes it a no-brainer, instant ROI.

So getting, say, $995 vs $25 means he has to find 40x less customers! He can
afford to spend a bit on sales. It's a meme on HN because it's true and us
engineers have a terrible habit of repeatedly undervaluing things.

He could even offer a "pre-launch" plan if he's worried about startups not
wanting to rack up bills before actually having customers. That way they can
maintain price plan integrity.

Overall I feel HN/engineers (myself included; I have to force myself here)
worry too much about edge cases and keep thinking somehow these cases will
make a serious business.

------
more-entropy
Money from nothing project. Congrats!

------
aaronsdevera
bad cert?

~~~
fragfester
Can you send a screenshot to hello@fraudguard.io and I'll take a look now?

