IP Reputation - Responsiveness is Key

Thanks to an email from one of the folks evaluating ThreatSTOP, I did a quick comparison check to see how much quicker ThreatSTOP is to report bad IP addresses. This is very important as new, unknown IP addresses, can wreak havoc until they are tracked down.

A brief aside: once an IP address becomes known as, say, a botnet C&C host it will start to get blocked. In fact we quite often see IP addresses fall down the slippery slope of recividism. First they start out as malware droppers or C&C hosts, then they become phishing sites or spammers, finally they become recon bots searching for open ports and vulnerabilities in servers. The key to this progression is that the IP address gradually becomes better known as bad and that the things it does first, when it is unknown, are the most dangerous to the Internet. Hence the quicker they are picked up the quicker people can protect against them.

So, getting back to the responsiveness question. Our evaluator compared us to McAfee's Trusted Source (which is BTW an awesome resource) and noted that we appeared to report IP addresses faster. That is to say we'd report an IP address as bad and then some time later Trusted Source would also report it as bad. Well this was something that needed a bit of confirmation so I took our current list of the botnet C&C hosts and compared it with the list from 24 hours earlier. Of the 1911 ip addresses currently in that feed 44 were new (I'll append the list to this post) and I checked all 44 with Trusted Source.

The results:

16 were either 'unverified' or 'minimal risk' for both web and email.
12 were listed as bad for email but either 'unverified' or 'minimal risk' for web
6 were listed as bad for web but either 'unverified' or 'minimal risk' for email
10 were listed as bad for both web and email.

Of the 22 that were listed as bad for email and hence could be assumed to have history, ThreatSTOP knew about half (13) as being definitively bad and 11 we had no knowledge of other than as botnet C&C. However I'm unclear about the accuracy of McAfee's Email rating since a number of those (in fact it was probably all 11 but I gave up checking) had no email data graphs of history so it seems likely that the email report was as fresh as the the botnet one and probably related.

Finally I did a sample of the 41 that were between 24 and 48 hours old and McAfee's Trusted Source appeared to know about almost all of them as bad for web. That is to be expected.

So to recap. 44 new addresses in 24 hours of the most dangerous sorts on the Internet - that is botnet C&C hosts. Of those ThreatSTOP in fact already knew of 11 as did McAfee. We were blocking 16 that McAfee had no idea of. We blocked 6 at about the same time that McAfee knew about them and 11 more may have been known by McAfee first, but not necessarily as botnet C&Cs.

I imagine I'll run this test again in a week or two to confirm this finding but it looks like yes ThreatSTOP is faster to identify bad IP addresses, and since they get automatically downloaded onto our subscriber's firewalls, far faster to provide protection against bots calling home with stolen data.

The tedious data in raw form from an internal reporting tool that I modified so it would provide automatic links to Trusted Source so you can confirm the results (note you should confirm that the first report is 15 March or later). If you want to check the ThreatSTOP part of the report then please register and paste it into our checklogs tool:{as:6714,asname:'ATOMNET ATOM SA',cc:'PL',age:0}{as:7011,asname:'FRONTIER-AND-CITIZENS - Frontier Communications of America, Inc.',cc:'US',age:0}{as:30058,asname:'FDCSERVERS - FDCservers.net',cc:'US',age:0}{as:30722,asname:'VODAFONE-IT-ASN Vodafone N.V.',cc:'IT',age:0}{as:8542,asname:'BKKB BKK Marked AS',cc:'NO',age:0}{as:6724,asname:'STRATO STRATO AG',cc:'DE',age:0}{as:47781,asname:'ANSUA-AS PE Sergey Demin',cc:'UA',age:0}{as:4788,asname:'TMNET-AS-AP TM Net, Internet Service Provider',cc:'MY',age:0}{as:4812,asname:'CHINANET-SH-AP China Telecom (Group)',cc:'CN',age:0}{as:3758,asname:'ERX-SINGNET SingNet',cc:'SG',age:0}{as:16276,asname:'OVH OVH',cc:'FR',age:0}{as:49469,asname:'SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL',cc:'EU',age:0}{as:36752,asname:'YAHOO-SP1 - Yahoo',cc:'US',age:0}{as:23338,asname:'ASN-DCS-01 - DCS Pacific Star, LLC',cc:'US',age:0}{as:11427,asname:'SCRR-11427 - Road Runner HoldCo LLC',cc:'US',age:0}{as:2828,asname:'XO-AS15 - XO Communications',cc:'US',age:0}{as:50465,asname:'IQHOST IQHost Ltd',cc:'RU',age:0}{as:28753,asname:'LEASEWEB-DE Leaseweb Germany GmbH (previously netdirekt e. K.)',cc:'DE',age:0}{as:2609,asname:'TN-BB-AS Tunisia BackBone AS',cc:'TN',age:0}{as:3320,asname:'DTAG Deutsche Telekom AG',cc:'DE',age:0}{as:55720,asname:'GIGABIT-MY THEGIGABIT.com - Dedicated Server & Server Co-Location',cc:'MY',age:0}{as:21826,asname:'Internet Cable Plus C. A.',cc:'VE',age:0}{as:50244,asname:'ITELECOM Pixel View SRL',cc:'RO',age:0}{as:14037,asname:'AS-RVB-1 - RackVibe LLC',cc:'US',age:0}{as:50244,asname:'ITELECOM Pixel View SRL',cc:'RO',age:0}{as:8001,asname:'NET-ACCESS-CORP - Net Access Corporation',cc:'US',age:0}{as:15593,asname:'FinFin Autonomous system',cc:'PL',age:0}{as:3462,asname:'HINET Data Communication Business Group',cc:'TW',age:0}{as:9394,asname:'CRNET CHINA RAILWAY Internet(CRNET)',cc:'CN',age:0}{as:16265,asname:'LEASEWEB LEASEWEB AS',cc:'GR',age:0}{as:8522,asname:'FORTH-AS FORTH Autonomous System',cc:'EU',age:0}{as:51786,asname:'HAKVA LLC 2H Akva Group',cc:'CZ',age:0}{as:21844,asname:'THEPLANET-AS - ThePlanet.com Internet Services, Inc.',cc:'US',age:0}{as:15083,asname:'INFOLINK-MIA-US - Infolink',cc:'PA',age:0}{as:6939,asname:'HURRICANE - Hurricane Electric, Inc.',cc:'US',age:0}{as:17048,asname:'AWKNET - Awknet Communications, LLC',cc:'US',age:0}{as:30340,asname:'AS-TIER - Tierpoint, LLC',cc:'US',age:0}{as:43561,asname:'NET1-AS NET1 Ltd.',cc:'BG',age:0}{as:48587,asname:'NET-0X2A-AS Private Entrepreneur Zharkov Mukola Mukolayovuch',cc:'UA',age:0}{as:14080,asname:'Telmex Colombia S.A.',cc:'CO',age:0}{as:36351,asname:'SOFTLAYER - SoftLayer Technologies Inc.',cc:'US',age:0}{as:50244,asname:'ITELECOM Pixel View SRL',cc:'RO',age:0}{as:24940,asname:'HETZNER-AS Hetzner Online AG RZ',cc:'DE',age:0}{as:5617,asname:'TPNET Telekomunikacja Polska S.A.',cc:'PL',age:0}


Share this: