How to Detect Suspicious IP Addresses

One of the most important talents a cybersecurity expert must have is the ability to detect and block a suspicious IP address.

What is an IP address?

IP address (also known as the Internet Protocol Address) is a label assigned to every single device connected to the internet. This label consists of numbers and is unique.

Assigning an IP address to the devices with an internet connection serves two purposes: identification and addressing. With the help of IP addresses, one can identify the host and/or the network, and address the location of the device.

Internet Assigned Numbers Authority (also known as the IANA) manages the IP address space globally and has five distinct regional Internet Registries that manage different regions on the globe.

There are two different versions of the IP addresses. One is a rather dated version called ARPANET which was first used in 1983. The other one is called Internet Protocol version 4 (also known as the IPv4).

As of today, both of these Internet Protocol versions are used simultaneously.

What does suspicious IP mean?

Simply put, there are ‘good’ IPs and there are ‘suspicious’ IPs. Several different factors can make an IP suspicious: Sending a lot of spam, being associated with a device that is swarmed with malware, being associated with adware, showing different behavior patterns, and such.

Being able to detect suspicious IP addresses and blocking them before they cause any harm is an essential skill for a cybersecurity professional to have.

What is IP reputation?

An IP address with a strong history of non-malicious activity and relationships — meaning it has never been associated with malicious behavior or malware, never been hijacked by malicious actors and is otherwise only connected to benign domains, locations, and internet objects — then that IP will have a good reputation. But if the IP has been observed hosting malware at various points in the past (even if it is currently benign) or is connected to domains known for hosting phishing sites, dropping malware, or performing other malicious activity, then there’s a good chance that IP poses a risk to internet users. The riskier the IP, the worse its reputation.

Why is IP reputation important?

A strong IP reputation means the device that corresponds with that address is a trustworthy location for information and internet communications. For example, if you’re a business owner who wants to send emails to clients, your IP reputation can strongly affect whether your emails get flagged as spam. If your website gets hijacked or one of your servers is used fraudulently in malicious spam (“malspam”) campaign, your IP reputation will go down, so emails from you will not be considered trustworthy. Therefore, your attempts at email marketing will go exactly nowhere until your reputation improves.

How do you determine an IP reputation score?

There are a variety of factors that must be considered to produce an accurate IP reputation score.

Here are some of the parameters that may be used in gauging IP reputation.

  • IP category
  • Age of the IP
  • History of the IP
  • Domain reputation
  • Associated URL reputation
  • Presence of downloadable files or code
  • Previous association with malicious internet objects
  • Current association with malicious internet objects
  • Popularity
  • Hosting location
  • Real-time performance
  • Website and/or network owner
  • Presence on any allow/blocklists

Analyzing the above types of characteristics can yield a very accurate assessment of the level of risk associated with a given IP address.

Free Online Tools for Looking up Potentially Malicious Websites

Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real-time to identify threats:

Sources:
Free Online Tools for Looking up Potentially Malicious Websites (zeltser.com)
What is IP Reputation? | Webroot
How to Detect Suspicious IP Addresses — Logsign

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store