One of the most important talents a cybersecurity expert must have is the ability to detect and block a suspicious IP address.

What is an IP address?

IP address (also known as the Internet Protocol Address) is a label assigned to every single device connected to the internet. This label consists of numbers and is unique.

Assigning an IP address to the devices with an internet connection serves two purposes: identification and addressing. With the help of IP addresses, one can identify the host and/or the network, and address the location of the device.

Internet Assigned Numbers Authority (also known as the IANA) manages the IP address space globally and has five distinct regional Internet Registries that manage different regions on the globe.

There are two different versions of the IP addresses. One is a rather dated version called ARPANET which was first used in 1983. The other one is called Internet Protocol version 4 (also known as the IPv4).

As of today, both of these Internet Protocol versions are used simultaneously.

What does suspicious IP mean?

Simply put, there are ‘good’ IPs and there are ‘suspicious’ IPs. Several different factors can make an IP suspicious: Sending a lot of spam, being associated with a device that is swarmed with malware, being associated with adware, showing different behavior patterns, and such.

Being able to detect suspicious IP addresses and blocking them before they cause any harm is an essential skill for a cybersecurity professional to have.

What is IP reputation?

An IP address with a strong history of non-malicious activity and relationships — meaning it has never been associated with malicious behavior or malware, never been hijacked by malicious actors and is otherwise only connected to benign domains, locations, and internet objects — then that IP will have a good reputation. But if the IP has been observed hosting malware at various points in the past (even if it is currently benign) or is connected to domains known for hosting phishing sites, dropping malware, or performing other malicious activity, then there’s a good chance that IP poses a risk to internet users. The riskier the IP, the worse its reputation.

Why is IP reputation important?

A strong IP reputation means the device that corresponds with that address is a trustworthy location for information and internet communications. For example, if you’re a business owner who wants to send emails to clients, your IP reputation can strongly affect whether your emails get flagged as spam. If your website gets hijacked or one of your servers is used fraudulently in malicious spam (“malspam”) campaign, your IP reputation will go down, so emails from you will not be considered trustworthy. Therefore, your attempts at email marketing will go exactly nowhere until your reputation improves.

How do you determine an IP reputation score?

There are a variety of factors that must be considered to produce an accurate IP reputation score.

Here are some of the parameters that may be used in gauging IP reputation.

• IP category
• Age of the IP
• History of the IP
• Domain reputation
• Associated URL reputation
• Presence of downloadable files or code
• Previous association with malicious internet objects
• Current association with malicious internet objects
• Popularity
• Hosting location
• Real-time performance
• Website and/or network owner
• Presence on any allow/blocklists

Analyzing the above types of characteristics can yield a very accurate assessment of the level of risk associated with a given IP address.

Free Online Tools for Looking up Potentially Malicious Websites

Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real-time to identify threats:

• AbuseIPDB: Provides reputation data about the IP address or hostname
• Auth0 Signals: Checks IP address reputation; supports API
• BrightCloud URL/IP Lookup: Presents historical reputation data about the website
• CheckPhish: Checks whether the URL is a fraudulent site
• Desenmascara.me: Flags websites suspected of selling counterfeit products
• Email Blocklist Checker: Checks the domain name or IP address against email blocklists (email address required, opts into marketing).
• FortiGuard lookup: Displays the URL’s history and category
• Google Safe Browsing: Look up the website’s current status
• hashdd: Provides historical data about IPs, URLs, etc.
• IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
• IPQualityScore: Presents a risk ranking for the IP address
• Joe Sandbox URL Analyzer: Examines the URL in real time
• Ironscales Fake Login URL Scanner: Examines the URL for signs of phishing
• Is It Hacked: Performs several checks in real time and consults some blacklists
• IsItPhishing: Assesses the specified URL in real-time
• Kaspersky Threat Intel Portal: Looks up the IP, URL, or domain in a blacklist
• Norton Safe Web: Presents historical reputation data about the website
• Palo Alto Networks URL Filtering: Looks up the URL in a blacklist
• PhishTank: Looks up the URL in its database of known phishing websites
• PolySwarm: Uses several services to examine the website or look up the URL
• Malware Domain List: Looks up recently-reported malicious websites
• MalwareURL: Looks up the URL in its historical list of malicious websites
• McAfee TrustedSource: Presents historical reputation data about the website
• MxToolbox: Queries multiple reputational sources for information about the IP or domain
• Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
• PassiveTotal: Presents passive DNS and other threat intelligence data
• Pulsedive: Presents historical data and queries for additional information
• Quttera ThreatSign: Scans the specified URL for the presence of malware
• Reputation Authority: Shows reputational data on specified domain or IP address
• Scamadviser: Checks whether the website is likely a shopping scam
• SecurityTrails: Provides current and historical domain or system data
• Sucuri SiteCheck: Scans the URL for malware in real-time and looks it up in several blacklists
• Talos Reputation Lookup: Presents historical reputation data about the website
• Trend Micro Site Safety Center: Presents historical reputation data about the website
• ThreatSTOP Check IoC: Looks up the UP or domain in a blacklist (requires your email address)
• Unmask Parasites: Looks up the URL in the Google Safe Browsing database
• urlscan.io: Examines the URL in real time and displays the requests it issues to render the page
• URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
• VirusTotal: Looks up the URL in several databases of malicious sites
• ThreatMiner: Presents diverse threat intelligence data
• WebPulse Site Review: Looks up the website in BlueCoat’s database
• Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques
• zveloLive: Looks up the website in its database of categories

Sources:
Free Online Tools for Looking up Potentially Malicious Websites (zeltser.com)
What is IP Reputation? | Webroot
How to Detect Suspicious IP Addresses — Logsign

Originally posted at: https://ztrkouzhan.medium.com/how-to-detect-suspicious-ip-addresses-4ebb0d55caac

---

About the Author

Oğuzhan Öztürk

Expert in data gathering, investigating, and documenting findings in
the analysis.
Comfortable with OSINT, Kali Linux, and Vulnerability searching
tools like Sn1per, Tenable Nessus. Familiar with Frameworks such as

-Mitre ATT&CK
-Cyber Kill Chain
-Diamond Model

Also good at using deep search tools to gather threat information.
Web Developer background
(HTML, CSS, WordPress, Bootstrap)
Experienced in management, the psychology of human beings, and
working with multicultural teams
Be able to speak 3 languages (English, Turkish and Russian)