Threat intelligence helps organisations make earlier decisions about cyber attacks. One of the most common forms of threat intelligence in cyber security is IP reputation lists. For example, a given IP address might have a poor reputation for spam, ddos attacks, malware, and several other categories. IP reputation lists often form a front line of defence in Web Application Firewalls and cyber security solutions.
How Peakhour uses IP threat intelligence
Peakhour supports threat intelligence across more than 20 categories, including:
- Active DDoS attacks
- Brute forcing
- Active attackers
- Computers infected with malware
- Anonymous Proxies
- Forum Spammers
- TOR anonymous users
- IPs with poor reputation
- Unroutable and unassigned IPs
- Robots and web scrapers
- Datacenter
- Hosting Providers
- Crawlers
- And more
Customers have access to all 10 lists, which can be enabled as blocklists or used as part of a custom firewall rule, rate limiting rule, or page rule. For example, you may want to disallow POSTs from forum spammers, rate limit proxies, and outright deny traffic from known brute-forcing IPs.
Creating a spammer can't post rule
How does Peakhour assemble these lists?
The IP reputation lists are sourced from third-party sources, including open source intelligence feeds (OSINT), commercial feeds, community feeds, and our own threat intelligence. IPs are categorised into our pre-defined lists and made available to the WAF and rules engine. Each list is re-evaluated and updated based on the data provider's update schedule; some are updated every minute.
Internally managed feeds include bot sources that are verified using reverse DNS lookups, PTR record lookups, and WHOIS verification (such as Facebook IPs). WAF hits across customers are consolidated and made available as the Active Attacker list, which is updated in near real time. Our Malware and C&C nodes lists are generated from various partnerships.
The Anonymous Proxies list contains known open proxies, services that relay traffic without authentication, whilst our targeted VPN list tracks known third-party VPN services.
IPs are fed back into our system for re-evaluation to help identify emerging behaviour within our customer data.
Data visualisation
Requests from IPs that match a blocklist are tagged with the lists they belong to. Firewall events are enriched with this information, providing visibility into security threats. This context helps you decide how to handle requests, whether they should be blocked, rate limited or observed.
Firewall events generated by reputation matches
Blocks generated by our reputation lists can also be viewed in our analytics section.
Firewall events generated by reputation matches
Future work
We are working on additional data sources to further refine and expand our lists. This includes further segregating our data centre lists and categorising IPs that appear on several lists. We are also introducing our threat research centre to discover possible threats and enrich data blocked only by our WAF.
IP threat intelligence adds another layer of security to a cyber defence system. Peakhour sources and maintains up-to-date threat intelligence, helping our clients better protect themselves against would-be attackers.
See how Peakhour's IP threat intelligence supports the first line of defence for your applications. Contact our team to discuss your security requirements.
