Go Premium for a chance to win a PS4. Enter to Win


Assess http://www.threatstop.com/checkip : its reliability & source

Posted on 2014-09-03
Medium Priority
Last Modified: 2016-03-23

The above site gave quite good rating of suspicious IP sources, in fact
better than a commercial one that our corporate is using

Any idea how it obtain its inputs from and how it derive those IPs
are suspicious/malicious?  I need to explain to our governance
authority why it's reliable & whether there's any concern on using it


I've combed quite a few sites from google results above but none of them are comprehensive
/accurate including TrendMicro's.  any other good sites comparable as above that anyone
can suggest?
Question by:sunhux
  • 2
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40302531
It will have come from Dshield, SRI international, Shadow Server, Internet storm center and Phishtank which are open intelligence and largely dependent on IP reputation too as the background of the group seems affiliated to  Dshield.

The mentioned is also widely adopted source as well and of course if compared to commercial there is always the extra where insights can comes from the commercial offered sensor deployed gloablly and the intel they received from customer and the security center monitoring the underground and global threat source cum their sensor. There should be some diff and really depends how they rate the threat level - good to know the commercial criteria for factoring the various threat level e.g. based on CVSS or CVE or Mitre measures, exploitability index etc

They stated their threat list is automatically distributed via DNS to your firewalls. We propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. They prime themselves to update their database in real time and distribute the updates every two hour. But do note below
What do the results mean?
Any IP address which is listed on the results page has attempted to contact an IP address used by DNS Changer. These IP addresses are not used by anything except the DNS changer servers hosted by ISC so it is highly likely that the computer at that IP address is infected with DNS changer. Using your internal address management tools you can identify the computer and then clean it up. We put the raw log line on the report so that you can see the time(s) of the event(s) which will help if you have relatively short DHCP leases on your network.
(Also from their FAQ) http://www.threatstop.com/faq#t2n50
the identification and profiling of IP addresses to determine whether they are “good or bad” that enables network administrators to set a policy to manage, usually by allowing or blocking based on the reputation, communication to and from that address. In contrast to the currently dominant approach of security solutions, which tries to track the attack signatures, IP reputation tracks who is doing the attacking. The approach works due to the fundamental fact that all Internet communications start and end with an IP address.

Furthermore, they stated their list is derived from public and proprietary malware monitors across the Internet and cross correlated and prioritized by our heuristics engine. This list is constantly monitored, renewed and culled to ensure the best coverage and accuracy. It is currently updated every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).
As for good source, the google link has listed some good ones but the challenges is reputation based or not, there tends to be false positive and it is always good to depends on baseline that C&C callback server IP is put in place but there is no guarantee it there permanently as fast flux in this cyber climate is too dynamic and IP changes and reseracher sinkhole server IP all make it more complicated to have reliable list - hence tracking and reviewing log with blacklisted IP and other anomalies is best effort to sieve out anomalies (include other metadata like dns, http, ssl, dhcp anomalous content and transaction etc).

Some for consideration (include low hanging on trojan list) can include
Norse Darklist: Commercial service http://www.norse-corp.com/darklist.html
other below is "free"
robtex - https://www.robtex.com/
Domain Dossier - http://centralops.net/co/DomainDossier.aspx?dom_whois=1
Sourcefire VRT - http://labs.snort.org/iplists/
malc0de - http://malc0de.com/bl/
cymru - http://www.team-cymru.org/Services/Bogons/bogon-dd.html
project honeynet - http://www.projecthoneypot.org/list_of_ips.php
Zeustracker - https://zeustracker.abuse.ch/blocklist.php
spyeye tracker - https://spyeyetracker.abuse.ch/monitor.php?browse=binaries
Sucuri - http://sitecheck.sucuri.net/?page=tools&title=blacklist

Author Comment

ID: 40307497
One last query:

If I wanted to get a list of threatstop's bad (suspicious/malicious)
IPs, is there any way to get it : though it will get obsoleted, but
they hv a great list.  Perhaps I'll try to chat with their analyst
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 40307528
TS does not share the list of IP (sadly) and only allow it via the single IP check or log uploaded check. indeed worthwhile talking further and do note that their service update is every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).

The ThreatSTOP threat list is automatically distributed via DNS to your firewalls. They propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. You probably can note their offering from the FAQ to know better as you talk to them...

What is ThreatSTOP offering?
We are offering to parse logfiles from firewalls, IDSes and so on to see whether any computers on your network are using the DNS Changer IP addresses for their DNS or are attempting to contact the sinkholes for other malware such as conficker. We do this by parsing logfiles uploaded to us and extracting lines that contain the DNS Changer or Sinkholed addresses. We then give you a report that tells you what IP addresses on your network are communicating with these servers.
How do I use this service?
You should make sure that your firewall or IDS is logging all outbound attempts on port 53 (DNS). It may be simplest to log all traffic. You can either log this data on the device itself or use a separate syslog server and if you have a tool like splunk or Juniper's STRM you can use that too.

Then once you have some log data you should upload the logfile to us via the main webpage. We will parse it and give you are report that you can download and use to clean up infected computers. You can see a sample report here.

If you are using splunk or similar then you should export the data from the system either in raw format or as a summary in CSV format. We only need the source and destination IP addresses and will ignore anything else (name, port, count, time etc.) but you may find it useful to include a timestamp.

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
How does someone stay on the right and legal side of the hacking world?
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question