Security Experts:

Translating IP Intelligence into Actionable Security Intelligence

IP Blacklisting is not as Black or White as it sounds. IP Intelligence Should to be Used to Help flag Malicious Attack Sources.

At first glance, IP addresses do not provide us with much useful information to thwart attacks. Different aspects that influence the address such as connection aggregators (in large organizations and ISPs for example) where a single IP represents a group of unrelated sources may cause us to quickly dismiss this idea. Further, it can be argued that the IP address may not represent the true source of an attack since hackers often hide behind proxies and relays. Then there’s the issue of hopping, where IPs are dynamically allocated and an attacker can switch addresses during a single session.

IP Address Reputation, Threat MonitoringSo it is easy to see why IP addresses are often discounted from a security perspective. But it’s time to think again. Gathering information about individual IP addresses has a number of uses that can assist and influence security decisions- for example, by flagging a request as malicious. But just how do we gather this IP intelligence, and how do we use it to our advantage?

Geo-Location

One of the most important aspects of IP intelligence is geo-location data. The physical location of an IP address can sometimes be extracted through explicit registrar information. It can also be uncovered by performing a network analysis, which requires extrapolating the traffic route as well as timing the requests and responses. We can look at different levels of granularity, such as the source country (for which the IP address representation is usually accurate) or region.

From a security perspective, geo-location information can come in handy in a number of situations:

Business logic Attacks - Here, the attacker is able to bypass the normal, anticipated, flow of an application. Ultimately, these types of attacks allow the hacker to gain unauthorized access to different parts of the application or to perform illicit activity against it. Now let’s say you have a vegetable delivery service in San Francisco. A multitude of rapid requests coming from Vietnam concerning deliveries of fresh supplies should probably be flagged as suspicious. In situations like this analyzing geo-location data can help. It would also help to insert functionality limitations due to compliance issues. For instance, the European regulations are very strict about accessing personal information from outside the EU.

Fraud Detection – IP geo-location data can also help when it comes to the alerting process, configuring security so that red flags are raised when requests are performed from unusual geographical locations or there are simultaneous access attempts across geographically-dispersed locations. Further, account differences can be taken into consideration by correlating the physical location, shipping and billing addresses.

Influencing Fuzzy Decisions - Say a request is flagged as suspicious, malicious, or benign. Geo-location data can also be used to decide whether or not to drop the request or to flag it as suspicious and follow up with other steps. These steps can be, for instance, requesting the user provide additional authentication steps or reduce some of the application’s functionality

Analyzing Distributed Attacks - For example, my employer recently witnessed a case of comment spam which was traced to numerous sources which shared the same hub in an ISP.

Connection and Allocation

Connection attributes such as whether the connection originates from a dial-up, cable or T1 as well as IP allocation (static or dynamic), and even connection speeds are all part of the IP intelligence process. For instance, we can apply the fact that typically dynamic allocations do not come from servers. In fact, according to a Microsoft research, the vast majority of SMTP traffic originating from dynamically allocated addresses is actually spam. Also, dynamic allocations are typically not aggregators, meaning that the IP represents only one (or several) user. So, if for example there are many false logins from a dynamically allocated IP, it is possible to assume that the application is under a brute force attack.

Thwarting Masquerading

IP intelligence also helps to identify attackers hiding their true source. Hiding places could be network relays (such as a SOCKS proxy), anonymous proxies, and TOR networks. There are different ways to uncover the usage of proxies:

* Keeping an up-to-date blacklist of IP addresses belonging to TOR servers or anonymous proxy computers.

* Detecting discrepancies between information implied by the IP address and the actual request. A multitude of methods can be incorporated, such as looking at the “accept-language” request header. If the value is foreign (say, ru) but the address is local – this should raise suspicion. Or, if the response time is significantly slower than what is implied by the location (as derived from the IP address). Further, an abnormal path can be detected by analyzing BlueCoat headers.

Reputation

Reputation requires the creation of IP black and white lists. Bad reputation comes from IPs known to originate from compromised servers, botnet Command and Control (C&C) servers, infected servers, active spam sources, crawlers and other such sources of nefarious activities. However, it’s important to keep track of those sources with impeccable reputation as well. This means knowing the IPs of legitimate search engine bots and aggregators (such as Akamai and Limelight). While hackers move from one compromised server to another, it is important that this information is updated with high frequency and ensuring that aging mechanisms are applied.

Reputation controls could help against several security challenges, including:

* Form spam/ Comment spam – helping to identify potentially vulnerable resources and blocking access from known active spamming sources.

* Business Logic Attacks – reducing functionality for known infected sources and challenging the user to provide extended authentication.

* Automation – challenging the user in order to test whether it is a human or automated process by using CAPTCHAs for example.

* Zero-day Attacks – Some zero days can be blocked based on who is actually using them.

IP Intelligence Tools and Data Providers

There a number of providers offer geo-location information. Some are free, while others are not. Major players in this realm are Quova, Digital Envoy, and MaxMind. Offerings usually come in one of two forms. Some are provided as an online service, which would be more adequate for forensic analysis and non-streaming applications such as email. Other services come in the form of an on-premise database with an API. This is more suitable for online security decisions. Other than geo location data, different providers include some additional attributes related to connection and allocation.

As for reputation data, providers tend to specialize towards specific type of malicious activity, such as spam, botnet, etc. As such, the various providers differ with their data sets offerings and information. There are free providers of reputation data such as Dshield and ShadowServer. Commercial offerings exist too such as: Verisign, RSA, McAfee, Commtouch, ThreatMetrix, Cyveillance, and Unspam. Data offerings are bundled in different forms such as a Web service, an incoming feed, or an on premise database or appliance shielded by an API. Some providers offer only raw data; several providers also include additional indicators such as the measurement for intensity of malicious activity or activity duration information (last seen, first seen, etc.).

How do you evaluate which vendor provides the most suitable solution for you? Consider the following aspects:

* Form Factor - Do you need a high streaming solution or just a manual forensics process?

* Focus of Data - Are you looking to fight spam, Web attacks or bot infection?

* Processing - Can you process raw data or do you need a processed, scored feed?

IP Intelligence – an added value

The changes in the “threatscape” make the use of IP intelligence valuable for detecting and mitigating attacks. Commercial tools of various shapes and different purposes are available to help. Some are forensic analysis oriented, others can integrate with online security devices and several vendors also provide packaged solutions.

As presented, IP intelligence can quickly identify “known” bad traffic, enabling us to focus on complex issues. It also allows the mitigation of zero-day attacks before they are well analyzed and specific protection has been put in place against these. Further, IP intelligence is useful to fight online fraud by applying tools that help evaluate transactions and user behavior.

Next Column...

In this column I raised the issue of business logic attacks. In my next column, I will deep dive into this class of attacks, pointing out different aspects and how to mitigate them.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.