What is IP reputation?
To talk about IP reputation, we first need to cover the basics of IP addresses. IP stands for “internet protocol.” An IP address is a string of numbers assigned to computers, routers, servers, phones — effectively anything connected to the internet, including websites. Like a physical address, an IP address is used to locate connected devices on the internet, so that communications can occur between them.
If we continue thinking about IP addresses as similar to physical ones, then the idea of reputation also starts to make sense. For example, a house or business could be located in a “good” neighborhood, i.e., one with a good reputation, or a “bad” one. There are a variety of factors that determine a neighborhood’s reputation, including crime statistics; proximity to schools, hospitals, grocery stores, or entertainment; median age and condition of the buildings; types of businesses nearby; how the neighborhood has changed over time; how similar neighborhoods have changed over time; and much more.
IP address reputations can be described in much the same way. An IP address with a strong history of non-malicious activity and relationships — meaning it has never been associated with malicious behavior or malware, never been hijacked by malicious actors, and is otherwise only connected to benign domains, locations, and internet objects — then that IP will have a good reputation. But if the IP has been observed hosting malware at various points in the past (even if it is currently benign) or is connected to domains known for hosting phishing sites, dropping malware, or performing other malicious activity, then there’s a good chance that IP poses a risk to internet users. The riskier the IP, the worse its reputation.
Why is IP reputation important?
A strong IP reputation means the device that corresponds with that address is a trustworthy location for information and internet communications. For example, if you’re a business owner who wants to send emails to clients, your IP reputation can strongly affect whether your emails get flagged as spam. If your website gets hijacked or one of your servers is used fraudulently in a malicious spam (“malspam”) campaign, your IP reputation will go down, so emails from you will not be considered as trustworthy. Therefore, your attempts at email marketing will go exactly nowhere until your reputation improves.
IP addresses and their reputations are not static and may cycle from malicious to benign and back multiple times, or they may exhibit different types of malicious behavior. According to the latest Webroot BrightCloud® Threat Report, when looking at the top 50k IP addresses that recurred on our “malicious” list in 2020, 97.3% were caught displaying at least four distinct risk factors, such as spam sources. Almost half (45%) of the top 50K recurred during at least 2 different months, while 25.8% were seen doing something malicious every single month.
Because the level of risk an IP poses can fluctuate so much, publicly available lists are too static and outdated to be of use. Dynamic, granular intelligence is one of the only ways to discover the hard-to-spot malicious actors. IP reputation intelligence helps protect internet users from known malware sources and malicious or suspicious content on the internet, typically through network solutions like next-generation firewalls and network load balancers. Disabling inbound communications from IPs known to be malicious, which have associations with other malicious online objects, is a highly effective way to keep networks secure.
How do you determine an IP reputation score?
As with the neighborhood analogy above, there are a variety of factors that must be considered to produce an accurate IP reputation score.
Here are some of the parameters that may be used in gauging IP reputation.
- IP category
- Age of the IP
- History of the IP
- Domain reputation
- Associated URL reputation
- Presence of downloadable files or code
- Previous association with malicious internet objects
- Current association with malicious internet objects
- Popularity
- Hosting location
- Real-time performance
- Website and/or network owner
- Presence on any allow/block lists
As with overall web reputation (of which IP address reputation is a component), analyzing the above types of characteristics can yield a very accurate assessment of the level of risk associated with a given IP address.
What IP reputation tools are available?
Most IP reputation tools fall into one of two categories: they either enable manual IP reputation lookups, or they enable you to block IPs with malicious or suspicious reputations.
- IP reputation lookup/monitoring services
If you’re a business, knowing your IP reputation (and having a good one) will help ensure customers can come to your website, receive your emails, see your website in search results, see your ads during their browsing experience, and more. Use a lookup service to check your reputation. If it’s not where you want it to be or seems inaccurate, some services will allow you to contest their score or will even work with you to determine why or how the reputation damage occurred.
- IP reputation intelligence
IP reputation intelligence often comes in the form of static lists that can be integrated into threat intelligence solutions, firewalls, and network appliances. But the dynamic nature of IP addresses means static lists are often outdated almost as soon as they’re published. The strongest solution is a real-time IP intelligence service that can provide nuance and context to help enterprises and technology providers can better protect customers and end users from IP-related threats.
Use Cases
Dynamic IP reputation intelligence informs security decisions and strengthens defenses. When armed with a continuously updated feed of known malicious IP addresses, IT security administrators can easily identify threats by type to protect their networks and those who use them. This type of intelligence can be used to block traffic from TOR nodes, proxies, botnets, and other malicious actors. Additionally, some services provide metadata for investigative purposes. (For example, proxies have been used for more than just obfuscation, but also to launch short span DDoS attacks. Similarly, a botnet command and control (C&C) server contains BOT IPs as well as the originating central server IP.)
- IP reputation intelligence can be used to power an IP intelligence service in network perimeter appliances to monitor or block traffic from malicious addresses and protect users and sensitive data.
- IP reputation categorization can be used to track known proxies, allowing admins to prohibit malicious requests from phishing sites, such as man-in-the-middle attacks, or to respond with an alert.
The BrightCloud IP Reputation Service includes intelligence on all IPv4 addresses as well as in use IPv6 addresses. With our enhanced support of both threat and geo data for IPv6 addresses, partners can download data through an API call to receive additional threat information. As IPv6 adoption becomes more prevalent and IPv6 addresses are increasingly being used as an attack vector, having this additional data is critical in protecting the end user. In addition, add-on IP Threat Insights provides supplementary evidence of why an IP was tagged as malicious, including the type(s) of malware it distributed, ports and protocols used, and the time span that it posed a threat.
For more specific use cases, see the Use Cases section of our article, What Is Website Reputation.
Webroot BrightCloud® IP Reputation intelligence
- BrightCloud IP Reputation Service Even though disabling communications to and from malicious IP addresses does work to prevent threats, you need accurate, predictive threat intelligence to do it effectively. With up-to-the-minute IP intelligence, the BrightCloud IP Reputation Service scores IP addresses based on a reputation index to signal which may be a threat to users.
Webroot BrightCloud® IP Reputation Service from Webroot on Vimeo.
- BrightCloud Threat Insights (service-specific add-ons) Threat Insights are available as an additional feature of BrightCloud Threat Intelligence services. They fall into three main categories: insights for the Web Classification and Web Reputation Services, IP Reputation Service, and Real-Time Anti-Phishing Service. In-depth Threat Insights specific to each service provide additional context on why an object received a particular risk/reputation score, allowing you to explore additional related objects for research, security decision-making, incident response and proactive blocking. Using our intuitive SDK or RESTful web service, technology partners can easily integrate Threat Insights into their own solutions.
Learn more about the Webroot BrightCloud IP Reputation Service and how it works here.
