Unmasking the Challenges of Blocking Malicious IP Addresses: Overcoming the Unknown

Listen to post:
Getting your Trinity Audio player ready...

In the ever-evolving threat landscape, identifying and blocking malicious IP addresses is an essential defense mechanism. However, this task presents unique challenges that demand careful consideration and innovative approaches.

Unlike domain names, the registration details for IP addresses are less transparent, making it more challenging to access ownership information, registration dates, and the responsible parties. Like domains, IP addresses are registered and can be queried through WHOIS services managed by registrars such as RIPE and ARIN.  Nevertheless, the information available for IP addresses is often more obscure compared to the detailed records accessible for domain names.

This distinction significantly impacts the ability to assess and validate the entities behind IP addresses. Additionally, another obstacle arises with dynamic IPs, where the IP address of a device changes periodically, making it harder to track and block malicious activity effectively. It becomes even more challenging when an IP address serves as a shared hosting platform or a cloud provider, accommodating both legitimate and non-legitimate sources.

In this blog post we aim to shed light on the challenges of blocking malicious IPs and effective strategies to overcome them without blocking legitimate traffic.

The challenges

The absence of a comprehensive registration process for IP addresses hampers efforts to obtain ownership details, registration dates, and signers, creating difficulties in establishing accountability. Figure 1 presents the absence of readable information available from WHOIS service when researching IP addresses.

Figure 1: Limited Information on IP Addresses from WHOIS Service.

A couple phenomena of IP usage across the internet add a layer of complexity to correct identifications:

  • Dynamic IP addresses – often used by ISPs to move an IP between customers when it is no longer in use, making it harder to track and block malicious activity effectively. The constant fluctuation of IP addresses demands adaptable solutions capable of keeping pace with these changes.
  • Shared IP addresses – commonly used in shared hosting environments, where multiple websites and domains are hosted on the same IP address. This means that a single IP address can host both legitimate and non-legitimate sources simultaneously. Content Delivery Networks (CDNs), which use shared hosting to quickly and efficiently spread content across the internet, handle these shared resources with sophisticated mechanisms. These mechanisms ensure the swift delivery of content while attempting to mitigate security risks.

However, in the context of blocking systems, a false positive (blocking a legitimate site) is often considered more detrimental than a false negative (allowing a malicious site through). Hence, when faced with a situation where both legitimate and non-legitimate sites are hosted on the same IP, a cautious approach is necessary. Instead of solely relying on the IP address for blocking, it is imperative to employ different parameters and indicators to accurately identify and block the specific malicious target while ensuring uninterrupted operation for legitimate sites.

Figure 2 demonstrates that a significant portion of IP addresses, approximately a quarter, is associated with multiple domains. This shared hosting scenario can involve thousands of diverse domains, as shown in the accompanying map on the right.

Figure 2: Distribution of Servers IPs by Number of Shared Domains

Refer to Figure 3 for an illustration of a shared hosting IP address hosting both a highly malicious phishing site – ultrasafe.co.in and a legitimate business and economy site – skygo.in.

This IP is managed by eWebGuru, a hosting service provider that allocates server resources to various clients. This example highlights the challenges in cybersecurity within shared hosting environments, where both benign and harmful sites can coexist on the same server.

Figure 3: Shared Hosting IP Address Hosting Multiple Domains.

Identification & Blocking Strategies

There are multiple strategies to take into consideration when tackling the above challenges, let’s explore these strategies in detail:

From a network perspective

  1. Analyzing the DNS lookup name associated with an IP address can provide valuable insights into the nature of the IP. Empty records or cases where the IP address string itself is returned instead of a regular host name, can serve as indicators of suspicious activity.
  2. Examining the destination port used by the IP address can also yield valuable information. For example, the use of destination port 445 (SMB) over the internet is unlikely to be legitimate, and can raise suspicions about the IP’s malicious intent.

From a Threat Intelligence perspective

Another strategy involves leveraging threat intelligence from multiple sources. Combining different threat intelligence feeds that all point to the same IP address as malicious can significantly increase confidence in its classification.

Collaborative Information and tracking approach

Malicious IP addresses often have low popularity, meaning they receive a minimal portion of traffic compared to more widely used addresses. In the context of IP addresses, popularity refers to how often a specific IP address is accessed by users. A low-popularity address means it is rarely visited, unlike well-known sites. This lower visibility is a characteristic that can help distinguish them from legitimate sources. However, an issue arises when, for example, a new Microsoft server or any other legitimate entity is assigned a new IP address. Initially, this IP address would fall into the category of addresses with low popularity, potentially leading to a false assumption of malicious intent. To address this concern, it becomes crucial to employ a powerful and final strategy.

To gain more confidence in the classification of an IP address, it is necessary to track its popularity over more than one day. By observing the IP address’s behavior and monitoring its popularity over time, it becomes possible to assess whether its popularity remains consistently low, which would indicate a higher likelihood of it being associated with malicious activity. This multi-day tracking approach provides a more comprehensive understanding of the IP’s patterns and helps mitigate the risk of false positives while strengthening the accuracy of IP blocking decisions.

By implementing these strategies, organizations can enhance their ability to identify and block malicious IP addresses effectively while minimizing the risk of blocking legitimate sources. These techniques provide a comprehensive understanding of IP behavior, improving the overall security posture and reducing the impact of potential false positives.

Real World Application & Conclusion

At Cato, as part of our comprehensive SASE solution, we leverage the power of big data, taking advantage of our vast data lake, enabling a precise differentiation between legitimate and illegitimate addresses. This is further enhanced by the wisdom of crowdsourced insights from all over our network. Additionally, Cato leverages AI/ML models to consolidate data from both internal and external sources, streamlining the decision-making process for blocking malicious IPs. These innovative strategies, rooted in data intelligence and data-driven approach, are fundamental in crafting robust cybersecurity measures that not only address current threats but are also adaptable to the evolving digital landscape.

The mission of blocking malicious IP addresses is indeed of utmost importance in establishing a secure perimeter. But this task poses unique challenges as we have highlighted. By implementing the recommended strategies, including analyzing the nature of the traffic, considering the popularity of the targets, integrating tracking, and utilizing multiple threat intelligence sources, organizations can fortify their networks and systems against malicious activities. This proactive approach helps safeguard sensitive data and ensures uninterrupted operations, contributing to a robust and resilient cybersecurity posture.

Related Topics