VPN Detection
Multi-signal scoring system that estimates whether a visitor is using a VPN, proxy, or hosting provider. Implemented in vpnDetectionService.ts.
Scoring Breakdown
| Signal | Points | Condition |
|---|---|---|
| Hosting ASN | +3 | Current ASN belongs to a known cloud/hosting provider |
| IP Volatility | +5 | Fingerprint seen from >3 distinct IPs (24h window) |
| ASN Volatility | +5 | Fingerprint seen from >2 distinct ASNs (24h window) |
| Session Velocity | +3 | Fingerprint has >10 sessions (24h window) |
| ASN Change | +5 | ASN changed since last session for this fingerprint |
| Low Bot Score | +3 | Cloudflare bot score is between 0-30 (likely automated) |
Maximum possible score: 24
Score 0 = clean traffic. Higher scores = more suspicious.
Known Hosting ASNs
The system maintains a curated list of ~25 ASNs belonging to cloud/VPN infrastructure providers including:
- AWS, Google Cloud, Microsoft Azure
- DigitalOcean, Vultr, Linode, Hetzner
- OVH, Cloudflare, Akamai
- M247, Cogent, Hurricane Electric (common VPN exit nodes)
- Tencent Cloud, Alibaba Cloud
Data Sources
- ASN matching — Compare current ASN against the curated hosting ASN set
- KV counters — 24h rolling window of IP/ASN/session counts per fingerprint
- Cloudflare Bot Management —
cf.botManagement.scorewhen available (requires Enterprise)
When Scoring Happens
VPN scoring runs during /track/session/start as part of background processing. The score is logged and persisted to the fingerprints.vpn_suspected column in D1.
Usage
The VPN score is currently used for logging and analytics. Future applications include:
- Filtering analytics to exclude VPN/bot traffic
- Lead quality scoring (leads from VPN IPs may be lower quality)
- Rate limiting suspicious fingerprints