Solved

Assess http://www.threatstop.com/checkip : its reliability & source

Posted on 2014-09-03
3
727 Views
Last Modified: 2016-03-23
www.threatstop.com/checkip

The above site gave quite good rating of suspicious IP sources, in fact
better than a commercial one that our corporate is using

Q1:
Any idea how it obtain its inputs from and how it derive those IPs
are suspicious/malicious?  I need to explain to our governance
authority why it's reliable & whether there's any concern on using it


Q2:
https://www.google.com.sg/search?newwindow=1&site=&source=hp&q=malicious+IP+list&oq=malicious+IP+list&gs_l=hp.3..0j0i22i30l3.1303.4292.0.6900.18.18.0.0.0.0.226.1153.17j0j1.18.0....0...1c.1.52.hp..1.17.920.0.rGLWwo2ULMc

I've combed quite a few sites from google results above but none of them are comprehensive
/accurate including TrendMicro's.  any other good sites comparable as above that anyone
can suggest?
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40302531
It will have come from Dshield, SRI international, Shadow Server, Internet storm center and Phishtank which are open intelligence and largely dependent on IP reputation too as the background of the group seems affiliated to  Dshield.

The mentioned is also widely adopted source as well and of course if compared to commercial there is always the extra where insights can comes from the commercial offered sensor deployed gloablly and the intel they received from customer and the security center monitoring the underground and global threat source cum their sensor. There should be some diff and really depends how they rate the threat level - good to know the commercial criteria for factoring the various threat level e.g. based on CVSS or CVE or Mitre measures, exploitability index etc

They stated their threat list is automatically distributed via DNS to your firewalls. We propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. They prime themselves to update their database in real time and distribute the updates every two hour. But do note below
What do the results mean?
Any IP address which is listed on the results page has attempted to contact an IP address used by DNS Changer. These IP addresses are not used by anything except the DNS changer servers hosted by ISC so it is highly likely that the computer at that IP address is infected with DNS changer. Using your internal address management tools you can identify the computer and then clean it up. We put the raw log line on the report so that you can see the time(s) of the event(s) which will help if you have relatively short DHCP leases on your network.
(Also from their FAQ) http://www.threatstop.com/faq#t2n50
the identification and profiling of IP addresses to determine whether they are “good or bad” that enables network administrators to set a policy to manage, usually by allowing or blocking based on the reputation, communication to and from that address. In contrast to the currently dominant approach of security solutions, which tries to track the attack signatures, IP reputation tracks who is doing the attacking. The approach works due to the fundamental fact that all Internet communications start and end with an IP address.

Furthermore, they stated their list is derived from public and proprietary malware monitors across the Internet and cross correlated and prioritized by our heuristics engine. This list is constantly monitored, renewed and culled to ensure the best coverage and accuracy. It is currently updated every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).
As for good source, the google link has listed some good ones but the challenges is reputation based or not, there tends to be false positive and it is always good to depends on baseline that C&C callback server IP is put in place but there is no guarantee it there permanently as fast flux in this cyber climate is too dynamic and IP changes and reseracher sinkhole server IP all make it more complicated to have reliable list - hence tracking and reviewing log with blacklisted IP and other anomalies is best effort to sieve out anomalies (include other metadata like dns, http, ssl, dhcp anomalous content and transaction etc).

Some for consideration (include low hanging on trojan list) can include
Norse Darklist: Commercial service http://www.norse-corp.com/darklist.html
other below is "free"
robtex - https://www.robtex.com/
Domain Dossier - http://centralops.net/co/DomainDossier.aspx?dom_whois=1
Sourcefire VRT - http://labs.snort.org/iplists/
malc0de - http://malc0de.com/bl/
cymru - http://www.team-cymru.org/Services/Bogons/bogon-dd.html
project honeynet - http://www.projecthoneypot.org/list_of_ips.php
Zeustracker - https://zeustracker.abuse.ch/blocklist.php
spyeye tracker - https://spyeyetracker.abuse.ch/monitor.php?browse=binaries
Sucuri - http://sitecheck.sucuri.net/?page=tools&title=blacklist
0
 

Author Comment

by:sunhux
ID: 40307497
One last query:

If I wanted to get a list of threatstop's bad (suspicious/malicious)
IPs, is there any way to get it : though it will get obsoleted, but
they hv a great list.  Perhaps I'll try to chat with their analyst
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40307528
TS does not share the list of IP (sadly) and only allow it via the single IP check or log uploaded check. indeed worthwhile talking further and do note that their service update is every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).
http://www.threatstop.com/checkip
http://www.threatstop.com/checklogs

The ThreatSTOP threat list is automatically distributed via DNS to your firewalls. They propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. You probably can note their offering from the FAQ to know better as you talk to them...

What is ThreatSTOP offering?
We are offering to parse logfiles from firewalls, IDSes and so on to see whether any computers on your network are using the DNS Changer IP addresses for their DNS or are attempting to contact the sinkholes for other malware such as conficker. We do this by parsing logfiles uploaded to us and extracting lines that contain the DNS Changer or Sinkholed addresses. We then give you a report that tells you what IP addresses on your network are communicating with these servers.
How do I use this service?
You should make sure that your firewall or IDS is logging all outbound attempts on port 53 (DNS). It may be simplest to log all traffic. You can either log this data on the device itself or use a separate syslog server and if you have a tool like splunk or Juniper's STRM you can use that too.

Then once you have some log data you should upload the logfile to us via the main webpage. We will parse it and give you are report that you can download and use to clean up infected computers. You can see a sample report here.

If you are using splunk or similar then you should export the data from the system either in raw format or as a summary in CSV format. We only need the source and destination IP addresses and will ignore anything else (name, port, count, time etc.) but you may find it useful to include a timestamp.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now