For the last few days, our IPS detected that about 1 remote IP address per 1-2 days out
there in the Internet that attempted to access our site are triggering Heartbeat signature alerts. However, we & the IPS vendor can't be certain if these are false positives.
At 1-2 IP addresses, it may be manageable to block those IP & after say several months,
lift up the rules that block them but we're concerned that
Is there any website, mailing list or any method out there that help determine if
the remote source IP addresses are known to be malicious?
If I use our local ISP's DNS to do nslookup & it returned that the IP is of
'Non-existent domain', can I safely block it & assume it's malicious? I'm
assuming a non-existent or non-registered IP has malicious intent
Appreciate if anyone can take a look & tell me if the following IP are known
to be malicious or related to Heartbeat?
188.8.131.52 ==> 62-76-40-157.clodo.ru
184.108.40.206 ==> Non-existent domain
220.127.116.11 ==> hamsa.cs.northwestern.edu
18.104.22.168 ==> Non-existent domain
22.214.171.124 ==> Non-existent domain
10.251.87.209 ==> Non-existent domain
Can I take the approach to block first & when a a genuine/non-malicious user
call up to complain his access is blocked, then only unblock it? So assume
malicious unless proven otherwise. I suppose this is feasible if we're not
getting lots of IP daily to block.