Mideye Shield IP Reputation & Auto-Blocking
Mideye Shield is a threat intelligence layer built into Mideye Server. It evaluates every authentication request against IP reputation data, automatically blocks high-risk sources, and alerts administrators to suspicious activity. Unlike firewalls and web application firewalls (WAFs), Shield operates at the authentication layer — it understands login attempts, not just network traffic.
Why authentication needs its own threat layer
Section titled “Why authentication needs its own threat layer”Traditional network security — firewalls, intrusion detection systems, WAFs — protects the perimeter and the application layer. But authentication attacks are different:
- Credential stuffing uses valid-looking requests. Each login attempt looks normal individually. The attack is visible only when you analyze patterns across many attempts.
- Password spraying tries common passwords across many accounts. Each account sees only one or two attempts — below typical lockout thresholds.
- Brute force from botnets distributes attempts across thousands of IP addresses. Rate limiting per IP doesn’t catch it.
- VPN authentication bypasses web security. RADIUS authentication happens before users reach your network. WAFs and application-layer protections don’t apply.
Mideye Shield addresses these blind spots by evaluating threat intelligence specifically at the authentication decision point.
How Mideye Shield works
Section titled “How Mideye Shield works”IP reputation scoring
Section titled “IP reputation scoring”Every incoming authentication request is evaluated against Mideye Shield’s threat intelligence service. The source IP address receives a fraud score — a numeric assessment of how likely the IP is associated with malicious activity.
The scoring considers:
- Known botnet participation
- History of brute-force attacks
- Association with proxy/VPN anonymization services commonly used in attacks
- Geographic anomalies relative to the organization’s expected user base
- Presence on community threat intelligence feeds
Automatic blocking
Section titled “Automatic blocking”When an IP’s fraud score exceeds the configured threshold, Mideye Server automatically blocks authentication attempts from that address. The administrator configures:
- Score threshold — The fraud score at which automatic blocking kicks in (e.g., block IPs with a score above 80).
- Block response type — How to handle blocked requests:
- REJECT_REQUEST — Return a RADIUS Access-Reject. The user sees “authentication failed.”
- DISCARD_REQUEST — Silently drop the packet. The attacker gets no response, making the server appear offline from their perspective.
Automatically blocked IPs are logged and visible in the admin interface. Administrators can review, release, or permanently block individual addresses.
Webhook notifications
Section titled “Webhook notifications”When Shield detects high-risk activity, it can send real-time webhook notifications to external systems — your SIEM, a Slack channel, a ticketing system, or any endpoint that accepts HTTP POST requests. This integrates Mideye’s authentication threat data into your broader security monitoring.
Static filter rules
Section titled “Static filter rules”In addition to Shield’s dynamic IP reputation, administrators can define static filter rules — manual allow and block lists that apply before Shield evaluation.
Static rules support filtering by:
| Filter criterion | Example |
|---|---|
| Source IP address or subnet | Block 192.0.2.0/24, allow 10.0.0.0/8 |
| Username pattern | Block authentication attempts for disabled accounts |
| Calling station ID | Filter by the RADIUS Calling-Station-Id attribute (e.g., MAC address or phone number) |
Static rules are processed first. If a request matches an allow rule, it bypasses Shield scoring. If it matches a block rule, it’s rejected immediately without contacting the Shield service.
This is useful for:
- Whitelisting trusted networks — Your office IP ranges should never be blocked, even if a threat feed false-positive flags them.
- Blocking known-bad actors — Permanently block specific IPs or subnets without waiting for Shield scoring.
- Emergency response — Quickly block a specific source during an active attack, before Shield’s aggregated scoring catches up.
Resilience: what happens when Shield is unavailable?
Section titled “Resilience: what happens when Shield is unavailable?”Mideye Shield uses a circuit breaker pattern to ensure that Shield unavailability doesn’t prevent legitimate authentication:
- Normal state. Every authentication request is scored by Shield. High-risk IPs are blocked.
- Shield unreachable. If the Shield service doesn’t respond within the configured timeout, the circuit breaker opens.
- Circuit open. Authentication continues without Shield scoring. Static filter rules still apply. The server logs that Shield is bypassed.
- Recovery. The circuit breaker periodically tests whether Shield is available. When connectivity is restored, scoring resumes automatically.
This design ensures that Shield enhances security without becoming a single point of failure. Authentication always works. Shield adds protection when available.
How Shield differs from firewalls and WAFs
Section titled “How Shield differs from firewalls and WAFs”| Capability | Firewall / WAF | Mideye Shield |
|---|---|---|
| Operates at | Network / HTTP layer | Authentication layer |
| Understands | Packets, HTTP requests, SQL injection | Login attempts, credential patterns |
| Evaluates | All traffic | Only authentication requests |
| Knows about | IPs, ports, URLs | IPs, usernames, RADIUS attributes, fraud scores |
| Blocks | Network connections, HTTP requests | Authentication attempts |
| Applies to RADIUS | No (RADIUS is UDP, not HTTP) | Yes — every RADIUS Access-Request |
| Response options | Drop, reset, HTTP error | RADIUS reject, silent discard |
Shield is not a replacement for firewalls or WAFs — it’s a complementary layer that adds threat intelligence at the point where users authenticate. Your firewall protects the network perimeter. Shield protects the authentication decision.
What gets logged
Section titled “What gets logged”Every Shield evaluation is logged with:
- Source IP address
- Fraud score
- Action taken (allowed, blocked, shield bypassed)
- Username from the authentication request
- Timestamp
Blocked attempts are logged separately in the Blocked Attempts log, making it easy to review threat activity without sifting through legitimate authentication logs.
Administrators can view auto-blocked IPs, release individual addresses, and review the fraud score history through the Mideye Server admin interface.
Configuration at a glance
Section titled “Configuration at a glance”| Setting | What it controls |
|---|---|
| Shield enabled/disabled | Master toggle for IP reputation scoring |
| Score threshold | Fraud score above which IPs are automatically blocked |
| Block response | REJECT_REQUEST or DISCARD_REQUEST |
| Webhook URL | Endpoint for real-time threat notifications |
| Static filter rules | Manual allow/block lists by IP, username, calling station |
| Circuit breaker timeout | How long to wait for Shield before bypassing |
Configuration is managed through the Mideye Server admin interface. Changes take effect immediately — no server restart required.
Next steps
Section titled “Next steps”- System Architecture — Where Shield fits in the Mideye infrastructure
- Data Residency — How Shield handles IP data
- What is RADIUS? What is RADSEC? — The protocol Shield monitors
- Compliance & Regulatory Frameworks — How threat detection supports NIS2 and other frameworks