The attack surface of every Internet user gets wider every day, but it doesn’t mean there’s nothing that can be done about it. For one, analyzing possible attack vectors, such as suspicious or malicious domain names and IP addresses, can help with attack surface management. To illustrate, we analyzed 154 suspected malicious IP addresses using a combination of WHOIS and IP intelligence tools.

Hundreds of websites have blacklisted these IP addresses because of their involvement in different malicious activities. The goal of this study is to gain insights into these possible attack entry points by answering the following questions:

• From what countries do these attack vectors originate?
• What registrars and Internet service providers (ISPs) do they mostly use?
• Are the connected domain names malicious or, at the very least, suspicious?

The Data: 154 Malicious IP Addresses Associated with 316 Domain Names

The IP Blacklist Cloud compiled a list of around 200 malicious IP addresses that have been blocked by hundreds of websites. Out of these, Bulk IP Geolocation API was able to process only 154 IP addresses. The rest may already be unused and so no longer have useful geolocation data.

The IP geolocation tool further returned a total of 316 domain names connected to the malicious IP addresses. We retrieved their WHOIS records using Bulk WHOIS Lookup.

IP Geolocation of Malicious Addresses

About 75% of the blacklisted IP addresses can be traced to the 10 countries shown in the chart below. Almost half are spread between France (28%) and the U.S. (22%).

These two countries are, interestingly, also the frontrunners for the registrant countries of the 316 domains connected to the malicious IP addresses.

Registrant Countries of Connected Domains

About 83% of the connected domains also belonged to the top 10 IP address registrant countries. The U.S. and France accounted for 47%. The chart below reflects the distribution of the domain names according to their registrant country.

The U.S. has always been on the list of countries where malicious activities come from. As of 5 November 2020, it is, in fact, number 1 on Spamhaus’s list of worst spam countries and second on the worst botnet countries list.

France, on the other hand, appears to be an emerging center for malicious activities. It is not found on Spamhaus’s lists, but it was the number 1 source of malicious attack traffic targeting European users in 2019.

ISPs of Malicious IP Addresses

Digital Ocean is the ISP of 26% of the malicious IP addresses, followed by OVH and Online SAS with shares of 17% and 13%, respectively. GoDaddy and Microsoft took the fourth and fifth places with shares of 6% and 3%., respectively The rest of the IP addresses were distributed across 40 other ISPs.

The Nature of the Connected Domains

Not all of the domain names connected to the malicious IP addresses were malicious. But some could be among the dozens of domains that resolved to a malicious IP address at a particular time. However, the fact that the IP addresses they are associated with are malicious makes them vulnerable and, therefore, suspicious. Caution should be exercised when dealing with these domain names.

To illustrate, we found that the subdomains of justinstalledpanel[.]com resolved to at least two different malicious IP addresses.

• l0fc15ad.justinstalledpanel[.]com resolved to 62[.]210[.]205[.]141
• l288a1e7.justinstalledpanel[.]com resolved to 62[.]210[.]205[.]141
• l7ab53f4.justinstalledpanel[.]com resolved to 163[.]172[.]111[.]182

Out of the three subdomains, only l288a1e7.justinstalledpanel[.]com was reported as malicious on VirusTotal. However, the root domain itself, justinstalledpanel[.]com, was tagged for ties to phishing, malware attacks, spamming, and other malicious activities.

The malicious domain also shares the same IP addresses with gluhwein[.]club and its subdomains. Although it is not tagged “malicious,” it should be treated with caution. The two malicious IP addresses also share the same Autonomous System Number (ASN), geoname, latitude/longitude, and street address.

Registrars of the Connected Domains

The registrar of about 24% of the domains connected to the malicious IP addresses was GoDaddy. The rest of the top 10 registrars were responsible for 46% of the connected domains. The rest were distributed across more than 30 other registrars.

The study shows that most of the malicious IP addresses came from the U.S. and France, which coincides with the related domains’ top registrant countries. Digital Ocean topped the list of ISPs responsible for the malicious IP addresses, while GoDaddy was the top registrar of the related domains. While these findings do not necessarily mean that traffic from these countries, registrars, and ISPs is dangerous, this knowledge may be relevant for cybersecurity.