suspicious-IP-address

How to Detect Suspicious IP Addresses

Being able to detect and block a suspicious IP address is one of the most essential skills a cyber security specialist must have. Read our article to learn more about the detection of suspicious IP addresses.

A new report published by the Recorded Future shows that roughly the 90% of the suspicious IP addresses are not identified by the current blacklists. Which means that malicious IP addresses roam around the internet freely and they pose a great treat to many organizations. That is why taking necessary precautions to detect and block such IP addresses is one of the most urgent tasks of your cyber security team for the safety of your organization. In this article, we will discuss how you can detect suspicious IP addresses and what you can do to block them.

What is an IP address?

IP address (also known as the Internet Protocol Address) is a label that is assigned to each and every single device that is connected to the internet. This label consists of numbers and is unique.

Assigning an IP address to the devices with internet connection serves two purposes: identification and addressing. With the help of IP addresses, one can identify the host and/or the network, and address the location of the device.

Internet Assigned Numbers Authority (also known as the IANA) manages the IP address space globally and has five distinct regional Internet Registries that manage different regions on the globe.

There are two different versions of the IP addresses. One is a rather dated version called ARPANET which was first used in the 1983. The other one is called Internet Protocol version 4 (also known as the IPv4).

As of today, both of these Internet Protocol versions are used simultaneously.

What does suspicious IP mean?

Simply put, there are ‘good’ IPs and there are ‘suspicious’ IPs. A number of different factors can make an IP suspicious: Sending a lot of spam, being associated with a device that is swarmed with malware, being associated with adware, showing different behaviour patterns and such.

Being able to detect suspicious IP addresses and blocking them before they cause any harm is an essential skill for a cyber security professional to have.

How can I detect suspicious IP addresses?

There are various ways to detect suspicious IP addresses. You can use specifically designed software, use lookup and reputation tools or depend on a strong firewall.

If you will be working with a firewall or similar software, you can list some behaviour patterns and/or features, so that your software can block any IP that illustrates the behaviours and/or patterns you had specified earlier on. Also, your software and firewall can point you to a direction if you are new to this. Often, such software has a benchmark and/or baseline that will help it to decide whether an IP is suspicious or not. Yet you must update your software regularly if you want to benefit from such features.

Also, there can be an IP that shows curious behaviour and you might want to specifically check that one up. In order to do so, you can make use of Blacklists, IP reputation tools and IP lookup tools.

References:

https://en.wikipedia.org/wiki/IP_address

https://community.spiceworks.com/networking/articles/2465-how-to-block-suspicious-ip-addresses-to-secure-your-network

https://docs.trendmicro.com/all/ent/imsva/v8.5/en-us/imsva8.5_olh/disp_susp_ip_dom.html

https://www.cise.ufl.edu/~eragan/papers/Goodall_Situ_2018.pdf

https://go.recordedfuture.com/hubfs/reports/two-shady-men.pdf

https://docs.bitnami.com/aws/faq/configuration/block-suspicious-ip/

https://www.researchgate.net/publication/261113798_Detecting_Malicious_Websites_by_Learning_IP_Address_Features

https://www.tripwire.com/state-of-security/latest-security-news/more-than-90-of-suspicious-ip-addresses-not-identified-by-blacklists/

Leave a Reply

Your email address will not be published. Required fields are marked *