Home / Industry

Enriching IP Blacklists Using a Reverse IP/DNS Database

Every organization faces two kinds of cyber threats daily — "known" and "unknown" ones. Known threats are those that security experts have discovered, often published in blogs and major news outfits with accompanying indicators of compromise (IoCs). Unknown threats, meanwhile, are those that remain hidden to victims and researchers. IoCs for these have yet to be identified and disclosed.

One way to detect unknown threats is by using known IoCs as a starting point. That is possible through blacklist enrichment. That said, enterprises may find it useful to dive deeper into their existing blacklists to discover attackers' entire digital footprint using a harmful or downright malicious IP address as an input. We show how to do that in this post aided by a reverse IP/DNS database.

Find Otherwise-Hidden Connections to Malicious Domains

To illustrate, we obtained a list of the 20 most recent malicious IP address additions (as of 30 September 2020) to the AbuseIPDB database, which include:

IP AddressNumber of Citations for Malicious Activity
158[.]69[.]110[.]318,870
141[.]98[.]9[.]1653,038
222[.]186[.]30[.]1123,036
91[.]204[.]248[.]422,311
106[.]12[.]92[.]2462,264
180[.]76[.]186[.]1091,253
147[.]135[.]135[.]1111,133
171[.]34[.]78[.]119467
116[.]233[.]19[.]80454
106[.]13[.]177[.]53444
209[.]97[.]166[.]234139
119[.]28[.]223[.]22948
59[.]42[.]39[.]12527
113[.]173[.]192[.]1172
123[.]27[.]89[.]502
180[.]120[.]211[.]1912
206[.]189[.]72[.]1612
141[.]98[.]9[.]1661
156[.]199[.]196[.]1371
222[.]138[.]49[.]791

General Findings

Initial analysis of the IP addresses cited for violations revealed the following:

  • Nine out of the 20 IP addresses were based in China according to their IP geolocation.

  • 158[.]69[.]110[.]31 was cited the most number of times (8,870 times to be exact) for a variety of malicious activities.
  • The top 3 reasons for malicious citations were hacking (18 IP addresses), File Transfer Protocol (FTP) brute force (17 IP addresses), and brute force (16 IP addresses).

A Deeper Dive into the Digital Footprint of a Malicious IP Address Using Reverse IP/DNS Database

While IP-level blocking could protect organizations from the threats that any malicious IP address such as 209[.]97[.]166[.]234 can bring, it may not be sufficient or optimal. An alternative or complementary approach would be to seek and block domains or subdomains connected to malicious IP addresses though only after confirming these are harmful.

Our reverse IP/DNS database, for instance, showed that 209[.]97[.]166[.]234 resolved to the following domains and subdomains at some point in time:

  • mx12[.]collision48419[.]tokyo on 19 August 2020
  • coingnu[.]com on 27 November 2019
  • khun-teee[.]com on 28 August 2019
  • naitinoi[.]com on 20 August 2019
  • rhicavipz[.]me on 30 November 2018
  • manage-apleid[.]ddns[.]net on 26 November 2018
  • anumase[.]ddns[.]net on 25 November 2018
  • appleidmanage[.]ddns[.]net on 25 November 2018
  • hmmjembod[.]sytes[.]net on 25 November 2018
  • applelockedreview[.]myvnc[.]com on 25 November 2018
  • tools[.]hackers[.]moe on 2 November 2018
  • openph[.]org on 5 July 2018
  • staging[.]openph[.]org on 5 July 2018

Users can check these entities using a threat intelligence platform or publicly available threat databases to see if any related domains or subdomains may require blacklisting. From the list above, for example, we found that appleidmanage[.]ddns[.]net was dubbed malicious on VirusTotal.


Organizations that only rely and block access to and from known IoCs might miss out on the opportunity to bolster their cybersecurity. The identification of dangerous properties that may represent yet unknown threats is possible by subjecting malicious IP addresses to further checks using a reverse IP/DNS database.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias