Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Communications

New IP Address Blacklist Based On Web Chatter 31

itwbennett writes: A new approach to assembling blacklists analyzes chatter on the dark and open Web and can find malicious IP addresses that would have been missed using honeypots and intrusion detection systems, according to a report by security startup Recorded Future. On traditional blacklists, 99 percent of the addresses are for inbound activity, 'when someone is attacking your system from an external address,' said Staffan Truvé, chief scientist and co-founder at Recorded Future. On Recorded Future's new list, half of the addresses are for outbound activity, 'when an intruder is already in your systems, and is trying to connect to the outside world to exfiltrate data,' said Truvé. For example, Recorded Future identified 476 IP addresses associated with both the Dyreza and the Upatre malware families — only 41 of which were known to existing blacklists.
This discussion has been archived. No new comments can be posted.

New IP Address Blacklist Based On Web Chatter

Comments Filter:
  • Seems like IPs sending out their sensitive data to attackers would normally be termed "victims"?

    • Oatensibly, this would blacklist bots...

      Then again, if someone popped onto a random IRC server in the undernet, and started chatting about every IP address for windowsupdate.com...

      I am also curious as to how they handle DHCP, and if there's a timeout for the IPs listed?

      • But, with the new features built into Windows10, Windows updates can come from anywhere!

        What could possibly go wrong with that??

      • It sounds to me like it's blacklisting the IPs being connected to. Easy to spoof, though, just have your malware connect to dozens of random IPs along with the few actual IPs you're using, then the list becomes so full of false positives that it is rendered useless.
    • by Anonymous Coward on Thursday August 13, 2015 @11:27AM (#50309873)

      The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list, I suspect that are referring to the IP the infected machine is trying to send data TO, as opposed to the IPs that the attacks are originating from.

      Think command an control network as inbound, it sends package updates and commands to the infected machine.
      The infected machine then attempts to send data off to another server, likely not connected in any way to the C&C system. This outbound IP would be blockable.

      But you can't block the users ip as it's likely a dynamic IP assigned by their ISP.

      Then again you can argue that once you are infected, you should be blacklisted and that could be something to look into.

      I read the article (not the full report) and they are talking about scanning tweets, chats, pastebins and other stuff looking for IPs / domains with at least 2 mentions of malware.

      I find it hard to believe these IPs are end users machines.

      • The article doesn't come out clearly to state this, but I can't see them adding end users IPs to a black list,

        Why not? You might not blackhole the IP, but you could certainly ignore whole classes of traffic from such a host, and you could redirect them to a page telling them to get their act together.

  • by BronsCon ( 927697 ) <social@bronstrup.com> on Thursday August 13, 2015 @11:39AM (#50309991) Journal
    Somebody create a piece of malware that connects to random IP addresses!
  • by Anonymous Coward
    Come on submitters and editors. Can't you understand that whitelists and blacklists have a racist history? The accepted terms are "allow list" and "block list". This isn't that hard.
  • The problem with IPs found this way is that they are often associated with hundreds to thousands of web sites, and the bad actors shift between these backends rapidly. For instance I have seen cases where there are a few Wordpress generated sites out of thousands being used to host malware configs and updates at a single IP of a low-end hosting provider. I have seen many similar instances where the IP was associated with AWS. The most precise way to blacklist sites like this is by hostname and not by IP.
  • Once IPV6 is widely adopted, the idea of having any meaningful data associated with an IP address is DEAD.

    The bad guys will have a nearly limitless pool of IPs to spoof and choose from, and they'll just discard them every few seconds or minutes and a get a new batch to use. That's because IPV6 has a mind-bogglingly immense address space. How much? Well....

    Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it

  • For whatever reason, the most negative people on /. always manage to get first posts. Some posters have already pointed out limitations but let's talk about the benefits of this. If a bunch of hosts on my network start communicating in a way that they never have before, that me the sign that an infiltration has occurred. Inbound scanning looks for things trying to get through your firewall from the outside. But as we also point out on /. all the time, does almost nothing against social engineering attac

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...