As stewards of the Web, Internet infrastructure providers are often held accountable for ensuring the safety of users. Sadly, the recent spate of high-profile security incidents shows that this is not an easy task. Targeted ransomware, cyberespionage, and phishing attacks due to new domain registrations and client-side vulnerabilities are on the rise. And despite infosec watchdogs sounding the alarm, most hosting companies and Internet service providers (ISPs) still fall short when it comes to policing online properties.

That said, one way Internet resource providers can prevent their services from being abused is to routinely purge bad hosts. By performing WHOIS or reverse IP lookups, analysts can learn more about domains and IP addresses that figure in attacks and take actions against them. In particular, with the help of solutions like WHOIS Lookup and Reverse IP API, they can prevent users from getting assigned junk IP addresses or domains or falling prey to threats that use these.

Why Identifying Suspicious Hosts Matters

Preventing the registration and use of shady domains and IP addresses by actively removing them from your address pool benefits end-users in the long run. Not only can this thwart fraud and ongoing malicious campaigns, but it also guarantees seamless web-based service operations.

For example, blacklisted dynamic IP addresses accidentally assigned to legitimate home users could prevent them from signing up for accounts or online services. How so? ISPs typically assign dynamic IP addresses to basic plan subscribers. Because such addresses are free, virtually anyone can use them in good as well as bad ways, which is why they sometimes end up in blacklists. Website owners, meanwhile, would find their sites missing from search engine results pages (SERPs) for sharing hosts with offending websites.

Bolstering Defenses with WHOIS and Reverse IP Lookups

Let’s take a closer look at how large hosting providers and users, in general, can steer clear of compromised hosts. For instance, OVH is a long-established French cloud computing company that has a strong foothold in Europe, North America, Africa, and Singapore. But like many other organizations, it can still find itself exposed to breaches despite having vast IT resources as its disposal.

To date, the Spamhaus blocklist has 72 OVH IP addresses used for botnet command-and-control (C&C), spam, and malware distribution servers. We found, for instance, that the abused second-level domain (2LD), 220[.]ip-193-70-43[.]eu was registered at OVH by an undisclosed registrant. We couldn’t find much more detail than that, so we obtained its corresponding IP address—193[.]70[.]43[.]220.

A web search for the said IP address revealed that it happens to be present in spam blocklists. In one blocklist, it was reported for abuse more than 4,000 times. Another also flagged the IP address for spam and brute-force attacks against 22 websites.

We then used Reverse IP/DNS API to retrieve all the domains connected to the IP address.

We found two domains hosted on the same server. While this would have to be confirmed by OVH, our interpretation is that both domains appear to be autogenerated names assigned to dynamic addresses by the hosting provider for technical reasons. In terms of next steps, it’s advisable to send a report to OVH with the IP and the date of the incident (they will know who had that dynamical IP at that time). What’s more, one may want to monitor that these domains do not appear in any communication—e.g., in the body of a phishing e-mail or elsewhere.

* * *

Cleaning up the domain name space is a massive endeavor that requires a concerted effort from all stakeholders. However, by regularly scrubbing their namespaces with the help of WHOIS and reverse IP lookups, Internet infrastructure companies can prevent the reputational damage that goes with resource oversight. Most importantly, they can protect users from the impact of devastating breaches.