ISP Blocking: When Certain Internet Providers Signal Fraud

Not all internet traffic is created equal. Learn how the network a visitor connects from — their ISP, hosting provider, or ASN — is one of the strongest fraud signals in ecommerce, and how ISP and ASN blocking lets your Shopify store shut out data-center bots and high-risk networks without losing real customers.

ISP Blocking: When Certain Internet Providers Signal Fraud

import { Image } from ‘astro:assets’;

Last Updated: June 2026

Every visitor who lands on your Shopify store arrives through a network. Most of the time it’s a residential broadband connection from a household ISP, or a mobile carrier serving a phone on the move. But a surprising share of the traffic hitting modern storefronts doesn’t come from a living room or a coffee shop at all — it comes from a rack of servers in a data center, routed through a hosting provider whose only “customer” is an automated script.

That distinction — which network a request originates from — is one of the most reliable, least-discussed fraud signals in ecommerce. A connection from Comcast, Vodafone, or BT behaves nothing like a connection from a bulletproof hosting provider in a botnet-friendly jurisdiction. And once you learn to read the difference, you can quietly block an entire category of fraud, scraping, and fake orders before they ever reach your checkout.

This guide breaks down what ISP-level fraud signals actually are, why data-center and hosting networks correlate so strongly with abuse, and how to use ISP and ASN blocking on your Shopify store without accidentally turning away legitimate buyers.

Global network of connections across a world map representing internet traffic sources

What “ISP-Level” Actually Means

When people say a request came from a particular ISP, they’re really talking about a few overlapping layers of network identity:

  • The ISP (Internet Service Provider). The company that owns the IP address the visitor is using — Comcast, Spectrum, Orange, Jio, and so on for residential users.
  • The ASN (Autonomous System Number). A unique ID assigned to every network that routes traffic on the internet. Every IP address belongs to exactly one ASN, and that ASN tells you who operates the network. AWS, Google Cloud, DigitalOcean, OVH, and Hetzner each have their own ASNs — and so do residential ISPs.
  • The network type. Whether the ASN represents a residential ISP, a mobile carrier, a business connection, a data center / hosting provider, or known anonymizing infrastructure like a VPN or Tor exit node.

The key insight is this: legitimate shoppers almost never browse from a data center. Real customers buy from phones and laptops on home, mobile, and office networks. When a request to add an item to a cart, scrape a product page, or test a stolen card arrives from an Amazon Web Services or DigitalOcean IP, that’s not a shopper — it’s a machine. And machines on hosting networks are responsible for a wildly disproportionate share of the abuse that hits Shopify stores.

Why Network Type Is Such a Strong Fraud Signal

Fraud detection has always been a game of probabilities. No single signal is conclusive, but some signals shift the odds dramatically. Network type is one of the strongest.

An ASN’s reputation is determined by the kind of traffic that typically flows from it. Traffic from a well-known residential ISP like Comcast is generally low-risk — it’s where actual humans live. Traffic originating from a data center, a hosting provider, or a network notorious for sheltering botnets is inherently high-risk, because there’s no legitimate consumer reason for a shopper to be there.

Here’s why this matters so much in practice.

1. Bots Live in Data Centers

Automated traffic needs to scale cheaply, and nothing scales cheaper than spinning up servers in the cloud. Scrapers harvesting your product catalog, inventory-hoarding bots clearing limited drops, credential-stuffing scripts hammering your login, and card-testing tools validating stolen numbers all tend to run from hosting infrastructure. Block the data-center networks and you eliminate the cheapest, highest-volume slice of abuse in one move.

2. High-Risk ASNs Cluster Fraud

Botnets frequently operate from compromised servers concentrated within specific ASNs, and certain “bulletproof” hosting providers market themselves to exactly the kind of customers who don’t want to be traceable. Transactions and traffic originating from these high-risk ASNs are far more likely to be fraudulent. Once you can see the ASN behind a request, entire networks of abuse become a single checkbox to block.

3. It Exposes VPNs, Proxies, and Tor

Most commercial VPNs and the bulk of proxy services run their exit nodes out of data centers — which means they share the same hosting ASNs. A visitor deliberately masking their real location through a VPN exit node lights up the same network-type signal as a bot. For high-fraud regions and high-ticket products, that masking is itself worth flagging.

4. It Catches What Geolocation Misses

A fraudster using a data-center IP in Frankfurt to place an order shipping to a high-risk address elsewhere doesn’t trip a simple country filter — the IP looks European. But the network type gives them away: legitimate German shoppers don’t check out from OVH or Hetzner servers. ISP-level signals catch fraud that pure geo-blocking sails right past.

Rows of servers and network cables in a data center

The Residential Proxy Problem (And Its Limits)

It would be too easy if every bot announced itself with a clean AWS IP. The most sophisticated attackers know that data-center traffic gets blocked, so they pay for residential proxy networks — services that route their traffic through real home internet connections, often hijacked from compromised devices or rented from users who installed a shady free app.

Residential proxies are a genuine challenge. An IP that appears to belong to a home user in Seattle could be relaying traffic from anywhere on earth, which neuters traditional geolocation-based controls. This is exactly why no serious fraud strategy relies on IP intelligence alone.

But two things keep residential proxies from being a reason to give up on ISP-level blocking:

  1. They’re expensive. Residential proxy traffic costs orders of magnitude more than data-center traffic. The overwhelming majority of casual scraping, bot, and card-testing activity still comes from cheap hosting IPs — because most attackers won’t pay residential-proxy prices to abuse a small or mid-sized store. Blocking data centers raises the cost of attacking you, which is often enough to send attackers looking for an easier target.
  2. They pair with other signals. Residential-proxy fraud rarely travels alone. It shows up alongside behavioral anomalies — impossible browsing speed, velocity spikes, mismatched billing and shipping, repeated checkout attempts after declines. Network type is one layer in a stack, and the stack is what catches the sophisticated stuff.

The takeaway: ISP and ASN blocking removes the cheap, high-volume threat outright and forces the rest into more expensive, more detectable behavior. That’s a win on both fronts.

What ISP Blocking Looks Like on a Shopify Store

So how do you actually act on this? On Shopify, network-level protection generally takes a few forms, ideally layered together:

  • Block data-center and hosting ASNs. Stop traffic from the networks legitimate shoppers never use — AWS, DigitalOcean, OVH, Hetzler, and the broader universe of hosting providers. This single category covers most automated abuse.
  • Block specific high-risk ASNs / ISPs. When your blocked-traffic logs reveal a particular network sending nothing but bots or fraud attempts, shut down that ASN specifically.
  • Block VPNs and proxies. Since these largely overlap with hosting networks, blocking anonymizing infrastructure closes a major fraud avenue — particularly valuable on high-value orders.
  • Layer in country and city rules. Combine network signals with geographic targeting so you focus your store on the markets and customers that actually convert.

Out of the box, native Shopify doesn’t give merchants granular control over ASN- or ISP-level blocking. You can’t open your admin and tell Shopify “reject every request from DigitalOcean’s network.” That capability lives in dedicated security apps built for exactly this purpose.

Kedra Shield gives you that control directly. It lets you block traffic by ASN/ISP network, by country and city, by individual IP address or IP range, and by VPN/proxy status — all without code. You can shut out the data-center networks that bots live on, blacklist the specific ISPs your logs flag as problematic, and keep a clear view of exactly who’s being blocked and why. The fraudulent request never reaches your store, so there’s no fake order to cancel, no scraped catalog, no chargeback to fight, and no bot load dragging down your page speed and SEO.

Security analyst reviewing a dashboard of blocked traffic and network activity

A Practical ISP-Blocking Playbook

You don’t need to be a network engineer to put this to work. A handful of well-chosen rules covers the vast majority of network-level abuse.

Step 1: Block Data-Center and Hosting Networks

Start with the highest-impact move. Enabling protection against data-center and hosting traffic removes the cheapest, most automated threats — scrapers, bots, and card-testing scripts — in a single step. Real shoppers won’t notice; they’re not browsing from servers anyway.

Step 2: Turn On VPN and Proxy Detection

Layer in VPN/proxy blocking, especially if you’ve struggled with chargebacks or fake orders. Be thoughtful here: a minority of privacy-conscious legitimate customers use VPNs, so consider applying stricter VPN rules to high-value orders or high-risk regions rather than blocking blanket-wide. (More on avoiding false positives below.)

Step 3: Watch Your Blocked-Traffic Logs

This is where ISP blocking gets genuinely powerful. Review which networks are hitting your store. Patterns emerge fast — a single ASN responsible for thousands of requests, a hosting provider sending nothing but bot traffic, a region you don’t even ship to lighting up your logs. Each pattern is a rule waiting to be made.

Step 4: Block Specific High-Risk ASNs and ISPs

When your logs surface a network that sends only abuse, block that ASN or ISP specifically. This surgical approach lets you shut down a persistent attacker without touching any legitimate traffic.

Step 5: Combine With Geographic Rules

Pair network blocking with country and city targeting. If you only ship to a handful of countries, a whitelist approach plus data-center blocking is an extremely tight perimeter. If you ship broadly, blacklist the specific high-fraud regions your data flags.

Step 6: Review and Refine Monthly

Network abuse evolves. New hosting providers appear, attackers rotate ASNs, and your traffic mix shifts seasonally. A short monthly review of your blocked-traffic dashboard keeps your rules sharp and catches new patterns before they become a problem.

Avoiding False Positives: Don’t Block Real Customers

ISP-level blocking is powerful precisely because it’s broad — which means it has to be applied with care. A few realities to design around:

  • Some legitimate customers use VPNs. Privacy-conscious shoppers, travelers, and users in regions with restrictive networks sometimes browse through a VPN. Blocking VPNs outright on a $25 order can cost you more in lost sales than the rare fraud it prevents. Reserve aggressive VPN rules for high-value carts and known high-risk regions.
  • Corporate and university networks can look unusual. Some legitimate buyers sit behind business networks or institutional connections that don’t resemble typical residential ISPs. Data-center blocking targets hosting providers specifically, not business broadband — but it’s worth monitoring your logs for any legitimate network caught in the net.
  • Mobile carriers occasionally share IP ranges. Carrier-grade NAT means many mobile users can share a single IP. Avoid blocking individual IPs associated with mobile carriers; focus your network blocking on hosting and data-center ASNs instead.
  • Always start with monitoring. Before you block aggressively, watch your traffic for a week or two. Confirm that the networks you’re about to block really are sending abuse and not customers.

The right philosophy is a graduated response: block obvious data-center and bot traffic outright, apply stricter VPN and high-risk-ASN rules conditionally on risky orders, and keep a close eye on the dashboard so any false positive gets caught and corrected fast.

Padlock and shield icon over a circuit board representing layered website security

ISP Blocking Is One Layer of a Bigger Strategy

Network-level blocking is one of the most efficient defenses you can deploy, but it works best as part of a layered approach. The merchants getting real results combine ISP/ASN blocking with:

  • Country and city blocking to focus on the markets that actually convert.
  • IP and IP-range blocking for surgical control over specific bad actors.
  • VPN and proxy detection to close the anonymization gap.
  • Bot detection that stops automated traffic before it scrapes content or skews your analytics.
  • Content protection — disabling right-click, copy-paste, and developer tools — to make whatever traffic does get through far less useful to scrapers.
  • Checkout-level validation rules (via tools like Kedra Checkout Rules) as a final gate that blocks suspicious orders even if the visitor slips past your perimeter.

Each layer catches a different slice of abuse. Network blocking removes the cheap, high-volume threats; behavioral and checkout rules catch the sophisticated stragglers. Together they keep your fraud rates, your server load, and your chargeback ratio down — without strangling the legitimate traffic that actually pays your bills.

Bringing It All Together

The network a visitor connects from is one of the clearest tells in all of fraud detection. Real customers shop from homes, phones, and offices. Bots, scrapers, and a huge share of fraudsters operate from data centers and hosting providers — and that single distinction lets you block an entire category of abuse before it ever touches your store.

Start by blocking data-center and hosting traffic. Add VPN and proxy detection. Watch your logs, blacklist the specific ASNs and ISPs that send only abuse, and layer the whole thing on top of country, IP, and checkout rules. With Kedra Shield, you can build all of it with no code — and turn the network signal that fraudsters rely on into the exact thing that shuts them out.

Every bad request you block at the network edge is a scrape that never happens, a fake order that’s never placed, and a chargeback you never have to fight. Read the ISP. Trust the signal. Lock the door.

K

Kedra Team

Expert insights on Shopify development and e-commerce growth strategies.

More Articles

Continue exploring our insights and expertise

A/B Testing Checkout Changes: Measure Before You Commit

Framework for testing checkout modifications without risking conversion rates. Learn how to validate changes to payment methods, shipping options, and checkout flow before rolling them out store-wide.

AI Shopping Agents Are Here: Is Your Store Ready for Autonomous Buyers?

An in-depth look at the autonomous shopping agents from OpenAI, Anthropic, Perplexity, and Google that now browse and buy on behalf of real customers — and the structured data, schema, and indexation work Kedra AI Index handles to make sure your Shopify store is one of the brands they actually consider.

The AI Content Scraping Crisis: How ChatGPT and Competitor Bots Are Stealing Your Shopify Store

AI bots cost e-commerce $7.48B yearly. Learn how ChatGPT & competitors steal Shopify content, plus 5 proven methods to protect your store today.

View All Articles