Key Features:
IP centric, with the widest range of victims.
Provides a lighter weight feed of controller and victim IP addresses.
Enables users to vet visitors to a service, optimize firewalls, and automatically deprioritize low-criticality alerts.
Key Advantages:
Lightweight, near-real-time feed of all controllers and victims.
Offers visibility into botnets that normally evade monitoring.
Includes categories of potentially compromised devices like routers, darknet visitors, and abused proxies.
Use Cases:
E-commerce platforms can use the feed to identify and block traffic from compromised IP addresses, reducing fraud.
Healthcare organizations can ensure secure patient data transmission by filtering access from suspicious IPs.
Online gaming companies can prevent cheating and maintain fair play by monitoring and blocking connections from known malicious IPs.
Along with every Command and Control IP address (C2) for botnets we track, the feed contains IP addresses that have communicated with a C2, a honeypot, or sinkhole we operate. Other example categories of malicious behavior include darknet scans, abused proxies, openresolvers, and IPs hosting phishing sites. Using our global network of darknets, sensors, and sinkholes we formed the most comprehensive feed we have ever produced.
The IP Reputation Feed is updated hourly and contains an aggregate of the last 24 hours of activity.
​Every IP in the feed receives an individual reputation score using several different categories of patterns observed over the past 30 days. The key used to calculate the score is included in the feed and can be used to reconstruct the behavior patterns observed for each individual IP in the feed.
​IP Reputation Scoring Categories
-
Number of days in feed
-
Number of active detections
-
Number of passive detections
-
Detection type
-
Controller behavior:​
-
Non-standard port
-
# controllers on same IP
-
# unique domains on same IP
-
Instructions decoded
-
DDoS Activity
-
SSL usage
-
Malicious IPs in /24
-