Home / Industry

How Reverse IP Lookup API Can Help Detect Connected Domains

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

In 2020, reports say 94% of malware were delivered via email. Phishing remains a threat, as it accounts for more than 80% of security incidents that can cost victims almost US$18,000 per minute. To protect against such threats, organizations use a variety of strategies that sometimes include blocking traffic coming from malicious IP addresses.

Several connected domains can resolve to the same IP address, however. And not all of those domains are malicious. Some may even belong to legitimate companies that your organization may not wish to block (e.g., partners, suppliers, etc.). Other connected domains, on the other hand, may be part of the same suspicious infrastructure and may be related to web properties you need to stay away from.

The question in each case then becomes: What are those potentially connected domains? And what should you do about them? Reverse IP lookup APIs like the one provided by Threat Intelligence Platform (TIP) can help provide an answer to these questions.

How Can Reverse IP Lookup API Help?

Reverse IP Lookup API lets users get a comprehensive list of all the domains and subdomains hosted on the same IP address. For those who want to protect their network against spam and other malicious emails but don’t want to miss out on legitimate communications, there is a possibility to block particular domains instead of their host IP address.

Those that may be unknowingly sharing a host with malicious web properties that don’t want to get blacklisted by companies that employ IP-level blocking can benefit from reverse IP lookups, too.

Reverse IP Lookup API in Action

To demonstrate the usefulness of reverse IP APIs, we obtained a list of 50 malicious IP addresses as of 9 April 2021 from Abuse.ch’s ThreatFox.

Subjecting these to reverse IP API lookups yielded a list of at least 338 connected domains and subdomains. But as has been said earlier, just because a domain’s or subdomain’s host IP address is malicious doesn’t mean all of the domains and subdomains that resolved to it at one point in time are.

From the list of 25 malicious IP addresses, for instance, we analyzed 31[.]220[.]4[.]216. A reverse IP API lookup showed it is connected to three domains—cashout2018[.]ddnss[.]de, egircollector[.]net, and nonamefree[.]ru. Checks on a publicly accessible threat database showed that of these, only cashout2018[.]ddnss[.]de is malicious. In that case, blocking the IP address may not be a good idea, especially for companies that may theoritically do business with egircollector[.]net, and nonamefree[.]ru. Instead, blocking access to and from cashout2018[.]ddnss[.]de may be more granular.

The same is true for the malicious IP address 3[.]22[.]53[.]161, which resolved to two domains—2[.]tcp[.]ngrok[.]io and ec2-3-22-53-161[.]us-east-2[.]compute[.]amazonaws[.]com. While 2[.]tcp[.]ngrok[.]io is malicious, ec2-3-22-53-161[.]us-east-2[.]compute[.]amazonaws[.]com is not at the time of writing and could belong to any of your stakeholders that use Amazon Web Services (AWS) servers. Blocking the IP address would thus might not be good for your business. Blocking 2[.]tcp[.]ngrok[.]io, however, is necessary.

If your company owns any of the nonmalicious subdomains and want to make sure you don’t end up on any organization’s blocklist, it may be a good idea to consider changing your IP address with the help of your Internet service provider (ISP). That way, your corporate emails and other communications will get to their intended destinations should any of your contacts employ IP-level blocking.


While IP-level blocking may work at keeping threats at bay, the strategy could have unintended repercussions, too. Missing out on business opportunities due to overblocking or blacklisting is one of them. But as the demonstrations showed, that situation can be managed with the aid of a reverse IP lookup API.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC