Adventures in running a free public API

2015-11-11 12:57

The first iteration of Telize launched on April 20th, 2013. It started as a simple endpoint returning the client IP address in plain text, directly from Nginx, using the third party HTTP Echo module. As there was no application server being involved, latency was very good and people started using it. The current iteration launched on August 21th 2013, and introduced a REST API built on Nginx and Lua allowing to get a visitor IP address and to query location information from any IP address.

The software itself is the result of countless hours of coding and testing, and has been open source since the beginning. I invested a lot of time and money running and managing the instances so everyone could enjoy it for free, and I've been mostly happy doing so for the last two and a half years.

Of course there have been some abuses, such as idiots scanning whole IP ranges (either as an attempt to harm the service or to rebuild a freely available database by iterating on all IPv4 address space), or some companies leaching of a free service and sending some substantial amount of traffic. After all, the API was unrestricted and not rate limited, and I still think to this day that it was easier to add capacity as Telize grew instead of implementing ratios and regulate the service. So for the most part, I didn't mind and I'm happy people put the API to good use.

However, things changed when I discovered Telize was being used by malware and ransomware. Quite frankly, this is something I just can't tolerate. On November 5th I announced the decision to close the public instance with a 10 days notice, effective November 15th. I simply do not have time, energy, nor resources to engage in fighting abuses.

So where do we go from here? Well, Telize is open source, and can be downloaded as tarball releases or on GitHub. The project will keep being maintained and anyone can install and run their own instance, there is no "vendor" lock-in. For those for which the previous option is not possible, there will be a paid version to ease transition. This is the only way to ensure that the service can't be used for nefarious purposes without a trace.

In retrospective, it has been a positive adventure and a nice surprise to see Telize grow steadily to serve more than 130M daily queries and give birth to new ideas. In fact, my very own Logswan was born out of the necessity of processing more than 20GB of logs daily.