Choosing an IP Address Reputation List
Are you looking to check the IP address reputation of a host that you suspect might be involved with unwanted or malicious activities? This article can provide you with some website suggestions where you can look.
VERY IMPORTANT: A single IP address can host thousands of websites. If an IP address shows up on the list, it could be the result of hitting a web page that is not malicious. If the IP address is hosting, for example, one website that pushes malware out of 999 other websites that are not involved with malware, the IP address is still associated with malware and will end up on the IP address reputation lookup list.
Visit the sites listed below to see if the malware shows up:
- Open DNS Resolver Project
- Threat Stop
We gathered the above URLs from Host Reputation; however, you can find many other sites that offer a similar service. Domain reputation is a great way to uncover malware as well. Remember, a single IP address can host thousands of domains, so domain reputation lookup can sometimes be more accurate when trying to uncover unwanted activities.
DO NOT PANIC! Often, people want to shut down infected computers. If you do this, you can’t use it to find other infected computers on the network. For example, what did the malware’s traffic pattern look like? Use a good NetFlow and IPFIX collector to figure this out. A good flow reporting solution should collect and save flow data for weeks if not months. Save the reporting profile of the malware’s traffic behavior and use it to find other machines on the network. If you are in the process of investigating malware on a specific system in order to positively identify the infected files, we recommend running tools like WinPrefetchView on the infected PC.
Good luck with your cyber attack incident response program.