How To Check IP Addresses for Known Threats and Tor Exit Node Servers in Java

Without the existence of Internet Protocol (IP) addresses to organize and route server-to-server communication across the globe, it’s hard to imagine how the digital world would stay on its axis. Much in the same way our physical home and work addresses are required to direct the transport of physical products (i.e., letters and parcels) across county, state, and country lines, IP addresses necessarily facilitate the transfer and receipt of digital resources, representing the essential location and identification information that all reliable server communication depends on.

Like the post office in our building, or the mailbox next to our driveway, the edge of our computer network receives a wide variety of messages from external IP addresses, and the devices originating those messages are generally traceable based on their unique address. Tracking and storing IP address information is beneficial for several reasons — like storing customer demographic information, for example — but it also plays a crucial role in bolstering network security efforts.  The reality is that external servers requesting our resources are provisioned with unpredictable motivations, most often well-intentioned but also, at times, malicious. As a result, ensuring the security of our system against client-side threat actors starts with evaluating what threatening IP addresses are and what policies we can put in place to weed out addresses with discernably malicious motivations.

IP threats come in a wide variety of different forms. Compromised devices and servers across the globe are heavily utilized by threat actors to send spam (via email, for example), distribute malware, share viruses, and perpetrate phishing scams with cunning social engineering tactics. Additionally, large networks of compromised, remotely controlled IPs (sometimes referred to as Bot Nets) are often employed by individual threat actors to carry out cyber-attacks on a massive scale — including the infamous Denial of Service (DoS) attacks which prominent government organizations around the world are all-too-familiar with. Complicating matters further are volunteer-operated, mostly well-intentioned server networks like Tor, which disguise the IP address associated with a request (by routing that request through a chain of servers), creating a quick and convenient way for threat actors to hide in plain sight.  

With the proper policies in place, threatening IPs can be quickly detected in several ways. For starters, IP addresses associated with malicious activity (spam in particular) are generally added to public blacklists, so many threats can be identified by referencing those lists directly. To keep that information up to date, dummy servers (called “Honeypots”) can be configured to attract and monitor malicious IP addresses over time as well. As convenient as blacklisting might seem, however, it’s ultimately a resource-intensive endeavor that is only as effective as it is frequently updated. New threatening IPs tend to pop up rapidly, and these freshly compromised devices — or networks of devices — become moving targets that smaller teams of developers and administrators can become quickly overwhelmed by.  

With that in mind, one convenient way to fend off the steadily evolving flow of malicious traffic is through the implementation of Network Security APIs. These value-add services can provide an exceedingly practical, convenient solution, taking pressure off the shoulders of developers and administrators alike by offering an easily integrated and frequently updated solution.

Demonstration

In the remainder of this article, I’ll demonstrate two free-to-use API solutions which can be used to detect a variety of IP threats — including (known) bad IPs, botnets, compromised servers, and more — and discern if IP traffic originated from a Tor Exit Node, respectively. To help you quickly take advantage of both APIs, I’ve provided ready-to-run Java code examples further down the page, which can be used to easily structure your API calls.

Before getting to the necessary code for each iteration, you’ll need to start by installing the Client SDK. In your Maven POM file, first, add a reference to the repository (Jitpack is used to dynamically compile the library):

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

After that, add a reference to the dependency:

<dependencies>
<dependency>
    <groupId>com.github.Cloudmersive</groupId>
    <artifactId>Cloudmersive.APIClient.Java</artifactId>
    <version>v4.25</version>
</dependency>
</dependencies>

With the installation complete, you can now take advantage of either API iteration with copy-and-paste code.

Check if the IP Address Is a Known Threat

This API iteration will check an input IP Address string against a constantly growing list of detected IP threats. If a threat is detected, the API response body will return IsThreat: True with a string describing the ThreatType. You can structure your API call using the following code:

// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.NetworkThreatDetectionApi;

ApiClient defaultClient = Configuration.getDefaultApiClient();

// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");

NetworkThreatDetectionApi apiInstance = new NetworkThreatDetectionApi();
String value = "value_example"; // String | IP address to check, e.g. \"55.55.55.55\".  The input is a string so be sure to enclose it in double-quotes.
try {
    IPThreatDetectionResponse result = apiInstance.networkThreatDetectionIsThreat(value);
    System.out.println(result);
} catch (ApiException e) {
    System.err.println("Exception when calling NetworkThreatDetectionApi#networkThreatDetectionIsThreat");
    e.printStackTrace();
}

Check if the IP Address Is a Tor Node Server

This API iteration will apply statistical techniques to help determine if an IP Address string originated from a Tor Exit Node. While Tor traffic isn’t necessarily malicious, it can certainly indicate threatening activity and certain industry regulations go as far as to require that Tor Exit Node addresses are categorically blocked.  

If a Tor Exit Node address is detected, the API response body will return IsTorNode: True, making it easy to subsequently block that traffic from reaching the resources it was attempting to access. You can structure your API call using the following code:

// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.NetworkThreatDetectionApi;

ApiClient defaultClient = Configuration.getDefaultApiClient();

// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");

NetworkThreatDetectionApi apiInstance = new NetworkThreatDetectionApi();
String value = "value_example"; // String | IP address to check, e.g. \"55.55.55.55\".  The input is a string so be sure to enclose it in double-quotes.
try {
    ThreatDetectionTorNodeResponse result = apiInstance.networkThreatDetectionIsTorNode(value);
    System.out.println(result);
} catch (ApiException e) {
    System.err.println("Exception when calling NetworkThreatDetectionApi#networkThreatDetectionIsTorNode");
    e.printStackTrace();
}

With these two APIs, you can instantly improve your network's threat profile. In addition to these solutions, incorporating a diverse portfolio of value-add security APIs will help bolster your ability to defend against security threats in a variety of forms.