NordVPN Promotion

Home / Industry

Enriching IP Blacklists Using a Reverse IP/DNS Database

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Every organization faces two kinds of cyber threats daily—“known” and “unknown” ones. Known threats are those that security experts have discovered, often published in blogs and major news outfits with accompanying indicators of compromise (IoCs). Unknown threats, meanwhile, are those that remain hidden to victims and researchers. IoCs for these have yet to be identified and disclosed.

One way to detect unknown threats is by using known IoCs as a starting point. That is possible through blacklist enrichment. That said, enterprises may find it useful to dive deeper into their existing blacklists to discover attackers’ entire digital footprint using a harmful or downright malicious IP address as an input. We show how to do that in this post aided by a reverse IP/DNS database.

Find Otherwise-Hidden Connections to Malicious Domains

To illustrate, we obtained a list of the 20 most recent malicious IP address additions (as of 30 September 2020) to the AbuseIPDB database, which include:

IP AddressNumber of Citations for Malicious Activity
158[.]69[.]110[.]318,870
141[.]98[.]9[.]1653,038
222[.]186[.]30[.]1123,036
91[.]204[.]248[.]422,311
106[.]12[.]92[.]2462,264
180[.]76[.]186[.]1091,253
147[.]135[.]135[.]1111,133
171[.]34[.]78[.]119467
116[.]233[.]19[.]80454
106[.]13[.]177[.]53444
209[.]97[.]166[.]234139
119[.]28[.]223[.]22948
59[.]42[.]39[.]12527
113[.]173[.]192[.]1172
123[.]27[.]89[.]502
180[.]120[.]211[.]1912
206[.]189[.]72[.]1612
141[.]98[.]9[.]1661
156[.]199[.]196[.]1371
222[.]138[.]49[.]791
General Findings

Initial analysis of the IP addresses cited for violations revealed the following:

  • Nine out of the 20 IP addresses were based in China according to their IP geolocation.
  • 158[.]69[.]110[.]31 was cited the most number of times (8,870 times to be exact) for a variety of malicious activities.
  • The top 3 reasons for malicious citations were hacking (18 IP addresses), File Transfer Protocol (FTP) brute force (17 IP addresses), and brute force (16 IP addresses).

A Deeper Dive into the Digital Footprint of a Malicious IP Address Using Reverse IP/DNS Database

While IP-level blocking could protect organizations from the threats that any malicious IP address such as 209[.]97[.]166[.]234 can bring, it may not be sufficient or optimal. An alternative or complementary approach would be to seek and block domains or subdomains connected to malicious IP addresses though only after confirming these are harmful.

Our reverse IP/DNS database, for instance, showed that 209[.]97[.]166[.]234 resolved to the following domains and subdomains at some point in time:

  • mx12[.]collision48419[.]tokyo on 19 August 2020
  • coingnu[.]com on 27 November 2019
  • khun-teee[.]com on 28 August 2019
  • naitinoi[.]com on 20 August 2019
  • rhicavipz[.]me on 30 November 2018
  • manage-apleid[.]ddns[.]net on 26 November 2018
  • anumase[.]ddns[.]net on 25 November 2018
  • appleidmanage[.]ddns[.]net on 25 November 2018
  • hmmjembod[.]sytes[.]net on 25 November 2018
  • applelockedreview[.]myvnc[.]com on 25 November 2018
  • tools[.]hackers[.]moe on 2 November 2018
  • openph[.]org on 5 July 2018
  • staging[.]openph[.]org on 5 July 2018

Users can check these entities using a threat intelligence platform or publicly available threat databases to see if any related domains or subdomains may require blacklisting. From the list above, for example, we found that appleidmanage[.]ddns[.]net was dubbed malicious on VirusTotal.


Organizations that only rely and block access to and from known IoCs might miss out on the opportunity to bolster their cybersecurity. The identification of dangerous properties that may represent yet unknown threats is possible by subjecting malicious IP addresses to further checks using a reverse IP/DNS database.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

NordVPN Promotion