Skip to content

borisasadanin/NCPIH

BranchesTags

Repository files navigation

Anti Piracy Intelligence Hub

A shared threat intelligence platform for Nordic streaming operators and broadcasters. Members can report and query known pirate infrastructure — IP addresses, domains, CIDR ranges, URLs, and ASNs — through a REST API with automatic enrichment, blocklist synchronization, and STIX 2.1 export.

Built to run on Eyevinn Open Source Cloud.

Architecture

┌──────────────┐     ┌──────────────────────────────────┐     ┌──────────────┐
│   Member A   │────▶│   Anti Piracy Intelligence Hub   │◀────│   Member B   │
│  (TV2, etc.) │     │         REST API (:8000)          │     │ (Viaplay...) │
└──────────────┘     └──────────┬───────────┬────────────┘     └──────────────┘
                                │           │
                     ┌──────────▼──┐  ┌─────▼──────────┐
                     │ PostgreSQL  │  │  Redis/Valkey   │
                     │ (indicators,│  │  (lookup cache, │
                     │  members,   │  │   rate limiting)│
                     │  audit log) │  │                 │
                     └─────────────┘  └─────────────────┘

Features

  • Six indicator types: IPv4, IPv6, CIDR ranges, domains, URLs, ASNs
  • CIDR containment matching: Query a single IP and match against all known ranges (PostgreSQL GiST index)
  • Automatic enrichment: DNS resolution, ASN lookup (Team Cymru), country and hosting provider identification
  • Blocklist sync: Auto-imports ~15,000 indicators from HaGeZi and NextDNS piracy blocklists
  • STIX 2.1 export: Standards-compliant threat intelligence sharing
  • Bulk lookup: Check up to 500 IPs in a single request
  • Feed endpoint: Poll for new indicators since a given timestamp
  • Rate limiting: Redis sliding-window per API key
  • Audit trail: Every create/update/delete is logged with member ID and timestamp

Quick Start

With Docker Compose

# Clone and start
git clone <repo-url> && cd NCPIH
cp .env.example .env
docker compose up -d

# The API starts on http://localhost:8000
# PostgreSQL and Redis are started automatically
# Demo members are seeded on first boot
# Blocklist sync runs on startup (background)

Without Docker (local development)

Prerequisites: Node.js 22+, PostgreSQL 16+, Redis 7+

# Install dependencies
npm install

# Set up environment
cp .env.example .env
# Edit .env with your PostgreSQL and Redis connection strings

# Run database migrations
npm run migrate

# Seed demo members
npm run seed

# Start development server (auto-reload)
npm run dev

# Optional: run blocklist sync
npm run sync-blocklists

Verify it's running

curl http://localhost:8000/health
# → { "status": "ok", "service": "anti-piracy-intelligence-hub", "version": "1.0.0" }

API Reference

All endpoints require the X-API-Key header. See Demo API Keys below.

Indicators (CRUD)

Create indicator

curl -X POST http://localhost:8000/api/v1/indicators \
  -H "X-API-Key: apih-eyevinn-demo-key-2026" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "domain",
    "value": "pirate-nordic-tv.com",
    "confidence": 90,
    "tags": ["iptv", "streaming"],
    "notes": "Active IPTV panel serving Swedish content"
  }'

Supported types: ipv4, ipv6, cidr, domain, url, asn

ASN accepts both numeric (12345) and AS-prefix format (AS12345).

The indicator is automatically enriched with DNS resolution, ASN number, ASN name, country, and hosting provider.

If an indicator with the same type and value already exists, it is upserted: confidence is set to the higher value, tags are merged, and last_seen is updated.

List / search indicators

# All active indicators
curl "http://localhost:8000/api/v1/indicators" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

# Filter by type, tags, confidence
curl "http://localhost:8000/api/v1/indicators?type=domain&tags=iptv&min_confidence=80&limit=50" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Query parameters: type, tags (comma-separated), status, min_confidence, since (ISO 8601), source, limit (max 1000), offset

Get single indicator

curl "http://localhost:8000/api/v1/indicators/<uuid>" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Update indicator

curl -X PUT "http://localhost:8000/api/v1/indicators/<uuid>" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026" \
  -H "Content-Type: application/json" \
  -d '{ "confidence": 95, "status": "active", "tags": ["iptv", "confirmed"] }'

Delete indicator (soft-delete)

curl -X DELETE "http://localhost:8000/api/v1/indicators/<uuid>" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Sets status to expired. No data is permanently removed.

Lookup (real-time queries)

Designed for integration into CDN edge validators, WAF rules, and DNS filters.

IP lookup

curl "http://localhost:8000/api/v1/lookup?ip=185.234.72.99" \
  -H "X-API-Key: apih-viaplay-demo-key-2026"

Matches the IP against exact IPv4/IPv6 entries and any CIDR range containing it. Response includes all matching indicators sorted by confidence.

Domain lookup

curl "http://localhost:8000/api/v1/lookup?domain=panel.pirate-tv.com" \
  -H "X-API-Key: apih-viaplay-demo-key-2026"

Matches the exact domain and all parent domains (e.g., querying panel.pirate-tv.com also matches pirate-tv.com).

ASN lookup

curl "http://localhost:8000/api/v1/lookup?asn=24940" \
  -H "X-API-Key: apih-viaplay-demo-key-2026"

Matches ASN-type indicators and any indicator enriched with that ASN number.

Bulk IP lookup

curl -X POST "http://localhost:8000/api/v1/lookup/bulk" \
  -H "X-API-Key: apih-viaplay-demo-key-2026" \
  -H "Content-Type: application/json" \
  -d '{ "ips": ["185.234.72.99", "91.108.4.1", "8.8.8.8"] }'

Check up to 500 IPs in one request. Returns per-IP results with match status.

Export

Blocklist (plaintext / CIDR)

# Domain blocklist for DNS filtering
curl "http://localhost:8000/api/v1/export/blocklist?format=plaintext&tags=iptv&min_confidence=70" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

# CIDR list for WAF/firewall rules
curl "http://localhost:8000/api/v1/export/blocklist?format=cidr&tags=datacenter" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

# JSON export
curl "http://localhost:8000/api/v1/export/blocklist?format=json" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

STIX 2.1 bundle

curl "http://localhost:8000/api/v1/export/stix?min_confidence=60" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Exports indicators as a STIX 2.1 bundle for integration with MISP, OpenCTI, or other threat intelligence platforms.

Feed

curl "http://localhost:8000/api/v1/feed?since=2026-02-14T00:00:00Z&limit=500" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Returns all indicators created or updated since the given timestamp. Designed for periodic polling by member systems.

Stats

curl "http://localhost:8000/api/v1/stats" \
  -H "X-API-Key: apih-eyevinn-demo-key-2026"

Returns aggregated statistics: total indicators, breakdown by type/tag/status/source, recent activity (24h / 7d).

Demo API Keys

Pre-configured demo members and their API keys:

Member API Key
TV2 Denmark apih-tv2dk-demo-key-2026
Viaplay Group apih-viaplay-demo-key-2026
Allente apih-allente-demo-key-2026
Telia Company apih-telia-demo-key-2026
NRK apih-nrk-demo-key-2026
SVT apih-svt-demo-key-2026
Warner Bros. Discovery apih-wbd-demo-key-2026
Eyevinn Technology apih-eyevinn-demo-key-2026
Administration apih-admin-demo-key-2026

Configuration

Environment variables (see .env.example):

Variable Default Description
PORT 8000 Server port
DATABASE_URL postgresql://apih:apih@localhost:5432/apih PostgreSQL connection string
REDIS_URL redis://localhost:6379 Redis/Valkey connection string
BLOCKLIST_SYNC_ENABLED true Enable automatic blocklist import
BLOCKLIST_SYNC_INTERVAL_HOURS 24 Hours between blocklist syncs
LOOKUP_CACHE_TTL 300 Redis cache TTL for lookups (seconds)
RATE_LIMIT_RPM 600 Max requests per minute per API key
LOG_LEVEL info Log level: debug, info, warn, error

Deployment on Eyevinn Open Source Cloud

The service is designed to run on Eyevinn Open Source Cloud (osaas.io) using managed PostgreSQL and Redis/Valkey instances.

1. Provision infrastructure

Create PostgreSQL and Valkey instances via OSC:

# PostgreSQL
npx @osaas/cli create eyevinn-osc-postgres apih-db

# Valkey (Redis-compatible)
npx @osaas/cli create eyevinn-osc-valkey apih-cache

2. Build and push Docker image

docker build -t anti-piracy-intelligence-hub .
# Push to your container registry

3. Deploy on OSC

Deploy the API service with environment variables pointing to the managed instances:

npx @osaas/cli create <your-service> apih \
  -o DatabaseUrl=<postgresql-url-from-step-1> \
  -o RedisUrl=<redis-url-from-step-1> \
  -o Port=8000 \
  -o BlocklistSyncEnabled=true

Blocklist Sources

The following public blocklists are automatically imported:

Source Content Default Confidence
HaGeZi Anti-Piracy Piracy domains 65
NextDNS - Streaming Streaming piracy sites 65
NextDNS - Torrent Torrent sites 60
NextDNS - Warez Warez/DDL sites 60

Member-submitted indicators receive higher confidence scores (typically 80-100).

Tech Stack

  • Runtime: Node.js 22 + TypeScript 5
  • Framework: Express 4
  • Database: PostgreSQL 16 (with inet/cidr types and GiST indexes)
  • Cache: Redis/Valkey via ioredis
  • Validation: Zod
  • Enrichment: DNS (Node built-in) + Team Cymru ASN lookup
  • Logging: Pino

License

MIT

Built by Eyevinn Technology — an independent media technology consultancy.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages