How to Detect Suspicious IP Addresses by Oğuzhan Öztürk


One of the most important talents a cybersecurity expert must have is the ability to detect and block a suspicious IP address.

What is an IP address?

IP address (also known as the Internet Protocol Address) is a label assigned to every single device connected to the internet. This label consists of numbers and is unique.

Assigning an IP address to the devices with an internet connection serves two purposes: identification and addressing. With the help of IP addresses, one can identify the host and/or the network, and address the location of the device.

Internet Assigned Numbers Authority (also known as the IANA) manages the IP address space globally and has five distinct regional Internet Registries that manage different regions on the globe.

There are two different versions of the IP addresses. One is a rather dated version called ARPANET which was first used in 1983. The other one is called Internet Protocol version 4 (also known as the IPv4).

As of today, both of these Internet Protocol versions are used simultaneously.

What does suspicious IP mean?

Simply put, there are ‘good’ IPs and there are ‘suspicious’ IPs. Several different factors can make an IP suspicious: Sending a lot of spam, being associated with a device that is swarmed with malware, being associated with adware, showing different behavior patterns, and such.

Being able to detect suspicious IP addresses and blocking them before they cause any harm is an essential skill for a cybersecurity professional to have.

An IP address with a strong history of non-malicious activity and relationships — meaning it has never been associated with malicious behavior or malware, never been hijacked by malicious actors and is otherwise only connected to benign domains, locations, and internet objects — then that IP will have a good reputation. But if the IP has been observed hosting malware at various points in the past (even if it is currently benign) or is connected to domains known for hosting phishing sites, dropping malware, or performing other malicious activity, then there’s a good chance that IP poses a risk to internet users. The riskier the IP, the worse its reputation.

A strong IP reputation means the device that corresponds with that address is a trustworthy location for information and internet communications. For example, if you’re a business owner who wants to send emails to clients, your IP reputation can strongly affect whether your emails get flagged as spam. If your website gets hijacked or one of your servers is used fraudulently in malicious spam (“malspam”) campaign, your IP reputation will go down, so emails from you will not be considered trustworthy. Therefore, your attempts at email marketing will go exactly nowhere until your reputation improves.

There are a variety of factors that must be considered to produce an accurate IP reputation score.

Here are some of the parameters that may be used in gauging IP reputation.

  • IP category
  • Age of the IP
  • History of the IP
  • Domain reputation
  • Associated URL reputation
  • Presence of downloadable files or code
  • Previous association with malicious internet objects
  • Current association with malicious internet objects
  • Popularity
  • Hosting location
  • Real-time performance
  • Website and/or network owner
  • Presence on any allow/blocklists

Analyzing the above types of characteristics can yield a very accurate assessment of the level of risk associated with a given IP address.

Free Online Tools for Looking up Potentially Malicious Websites

Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real-time to identify threats:

Free Online Tools for Looking up Potentially Malicious Websites (
What is IP Reputation? | Webroot
How to Detect Suspicious IP Addresses — Logsign

Originally posted at:

About the Author

Oğuzhan Öztürk

1Expert in data gathering, investigating, and documenting findings in
the analysis.
Comfortable with OSINT, Kali Linux, and Vulnerability searching
tools like Sn1per, Tenable Nessus. Familiar with Frameworks such as

-Mitre ATT&CK
-Cyber Kill Chain
-Diamond Model

Also good at using deep search tools to gather threat information.
Web Developer background
(HTML, CSS, WordPress, Bootstrap)
Experienced in management, the psychology of human beings, and
working with multicultural teams
Be able to speak 3 languages (English, Turkish and Russian)


July 28, 2021
Notify of
1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
1 year ago

what do you think is a good age for an IP and what do you mean by IP Category i.e are you talking about spam/botnet etc or shared/private etc.

Last edited 1 year ago by Evan
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.