AbuseIPDB Integration

Threat Scoring

Each blocked inbound IP is scored using the AbuseIPDB API. The response includes:

• Confidence score - 0 to 100 indicating abuse likelihood
• 23 categories - attack classification (e.g., SSH brute force, DDoS, spam)
• Tor detection - identifies traffic from Tor exit nodes
• Usage type - ISP, hosting, business, or residential
• Whitelist status - whether the IP is on AbuseIPDB's known-safe list
• Report count - total number of abuse reports filed

Three-Tier Cache

To minimize API calls and stay within rate limits, threat data is cached across three layers:

1. In-memory cache - fastest lookup for recently seen IPs
2. PostgreSQL ip_threats table - persistent storage with a 4-day TTL
3. AbuseIPDB API - queried only on cache miss

Blacklist Pre-seeding

The app pulls the AbuseIPDB blacklist of the 10,000 highest-risk IPs to pre-populate the threat cache. This runs:

• On startup with a 30-second delay
• Daily at 04:00

Pre-seeded IPs are immediately available for enrichment without individual API lookups.

Rate Limiting

The app respects AbuseIPDB's X-RateLimit response headers to stay within your plan's quota. If the API returns a 429 (Too Many Requests) response, all lookups pause automatically until midnight UTC when the quota resets.