Assess : its reliability & source

The above site gave quite good rating of suspicious IP sources, in fact
better than a commercial one that our corporate is using

Any idea how it obtain its inputs from and how it derive those IPs
are suspicious/malicious?  I need to explain to our governance
authority why it's reliable & whether there's any concern on using it


I've combed quite a few sites from google results above but none of them are comprehensive
/accurate including TrendMicro's.  any other good sites comparable as above that anyone
can suggest?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
It will have come from Dshield, SRI international, Shadow Server, Internet storm center and Phishtank which are open intelligence and largely dependent on IP reputation too as the background of the group seems affiliated to  Dshield.

The mentioned is also widely adopted source as well and of course if compared to commercial there is always the extra where insights can comes from the commercial offered sensor deployed gloablly and the intel they received from customer and the security center monitoring the underground and global threat source cum their sensor. There should be some diff and really depends how they rate the threat level - good to know the commercial criteria for factoring the various threat level e.g. based on CVSS or CVE or Mitre measures, exploitability index etc

They stated their threat list is automatically distributed via DNS to your firewalls. We propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. They prime themselves to update their database in real time and distribute the updates every two hour. But do note below
What do the results mean?
Any IP address which is listed on the results page has attempted to contact an IP address used by DNS Changer. These IP addresses are not used by anything except the DNS changer servers hosted by ISC so it is highly likely that the computer at that IP address is infected with DNS changer. Using your internal address management tools you can identify the computer and then clean it up. We put the raw log line on the report so that you can see the time(s) of the event(s) which will help if you have relatively short DHCP leases on your network.
(Also from their FAQ)
the identification and profiling of IP addresses to determine whether they are “good or bad” that enables network administrators to set a policy to manage, usually by allowing or blocking based on the reputation, communication to and from that address. In contrast to the currently dominant approach of security solutions, which tries to track the attack signatures, IP reputation tracks who is doing the attacking. The approach works due to the fundamental fact that all Internet communications start and end with an IP address.

Furthermore, they stated their list is derived from public and proprietary malware monitors across the Internet and cross correlated and prioritized by our heuristics engine. This list is constantly monitored, renewed and culled to ensure the best coverage and accuracy. It is currently updated every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).
As for good source, the google link has listed some good ones but the challenges is reputation based or not, there tends to be false positive and it is always good to depends on baseline that C&C callback server IP is put in place but there is no guarantee it there permanently as fast flux in this cyber climate is too dynamic and IP changes and reseracher sinkhole server IP all make it more complicated to have reliable list - hence tracking and reviewing log with blacklisted IP and other anomalies is best effort to sieve out anomalies (include other metadata like dns, http, ssl, dhcp anomalous content and transaction etc).

Some for consideration (include low hanging on trojan list) can include
Norse Darklist: Commercial service
other below is "free"
robtex -
Domain Dossier -
Sourcefire VRT -
malc0de -
cymru -
project honeynet -
Zeustracker -
spyeye tracker -
Sucuri -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
One last query:

If I wanted to get a list of threatstop's bad (suspicious/malicious)
IPs, is there any way to get it : though it will get obsoleted, but
they hv a great list.  Perhaps I'll try to chat with their analyst
btanExec ConsultantCommented:
TS does not share the list of IP (sadly) and only allow it via the single IP check or log uploaded check. indeed worthwhile talking further and do note that their service update is every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).

The ThreatSTOP threat list is automatically distributed via DNS to your firewalls. They propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. You probably can note their offering from the FAQ to know better as you talk to them...

What is ThreatSTOP offering?
We are offering to parse logfiles from firewalls, IDSes and so on to see whether any computers on your network are using the DNS Changer IP addresses for their DNS or are attempting to contact the sinkholes for other malware such as conficker. We do this by parsing logfiles uploaded to us and extracting lines that contain the DNS Changer or Sinkholed addresses. We then give you a report that tells you what IP addresses on your network are communicating with these servers.
How do I use this service?
You should make sure that your firewall or IDS is logging all outbound attempts on port 53 (DNS). It may be simplest to log all traffic. You can either log this data on the device itself or use a separate syslog server and if you have a tool like splunk or Juniper's STRM you can use that too.

Then once you have some log data you should upload the logfile to us via the main webpage. We will parse it and give you are report that you can download and use to clean up infected computers. You can see a sample report here.

If you are using splunk or similar then you should export the data from the system either in raw format or as a summary in CSV format. We only need the source and destination IP addresses and will ignore anything else (name, port, count, time etc.) but you may find it useful to include a timestamp.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.