What We’ve Learned After Scoring 350,000+ IPs for Risk
Over the last few months, CandycornDB has scored over 350,000 IPs using real-time behavioral analysis, subnet clustering, and ASN-level enrichment. Our goal was never to create just another static IP reputation system — but to understand how infrastructure and traffic behavior correlate with abuse in the wild.
1. ASN Abuse Patterns Are Extremely Consistent
Some ASNs repeatedly show elevated risk profiles, especially those associated with low-cost VPS resellers. OVH, LeaseWeb, and DigitalOcean account for a large share of anonymized traffic flagged in our system — not necessarily because of the providers themselves, but due to how easily these IPs can be spun up and cycled.
Our scoring engine tracks ASN-level “abuse density,” adjusting risk based on how concentrated malicious signals are across the provider’s ranges.
2. Public Blocklists Miss Fresh Tor and Proxy Nodes
Tor exit nodes rotate often. We’ve seen dozens of IPs behave like anonymizers days before they ever hit public blocklists. By the time they show up on external feeds, the abuse is already over.
Subnet clustering allows us to flag IPs within proximity to known Tor-like behavior, even when the IP itself isn’t yet recognized.
3. Subnet Risk Spreads Faster Than Expected
Once a subnet shows signs of abuse, we often see other IPs from the same /24 or /22 follow suit within 24–72 hours. This pattern is especially pronounced among proxy farms and compromised residential space.
Our approach weights subnet suspicion dynamically — the more abuse that clusters, the more cautious we become with related IPs.
4. Behavior Beats Reputation
Static IP reputation (based on past reports or external tags) is rarely enough. In contrast, behaviors like inconsistent headers, TTL anomalies, and high-velocity endpoint scanning are more predictive of abuse.
We’ve built our engine to react in real time to behavior — adapting as new attack patterns emerge.
5. Residential IPs Are Not Always Innocent
One unexpected insight: some residential IP blocks had shockingly high abuse scores — mostly from credential validation attacks and headless browser traffic. Just because an IP is assigned to a “home user” doesn’t mean it’s safe.
Conclusion: Infrastructure Intelligence Is the Future
After scoring 350,000+ IPs, one thing is clear — fraud and abuse follow infrastructure, not just individual IPs. By analyzing network relationships, ASNs, and behavior, we can surface threats far earlier than blocklist-driven systems.
CandycornDB is built on that belief — and the more data we score, the smarter it gets.