What Is IP Blacklisting?
IP blacklisting is a method used to filter out illegitimate or malicious IP addresses from accessing your networks. Blacklists are lists containing ranges of or individual IP addresses that you want to block. You can use these lists in combination with firewalls, intrusion prevention systems (IPS), and other traffic filtering tools.
Creating and applying blacklists enables you to filter malicious traffic according to policies or through the manual addition of IP addresses. Many network security tools that use blacklists are also able to add new addresses to be blocked. This can be done as externally referenced lists are updated or according to the results of event analysis.
5 IP Blacklisting Challenges
Although blacklisting is a good way to prevent specific IPs from accessing your network, it is not a foolproof method. This is because attackers have developed multiple ways to get around blacklisting. These methods include:
1. Changing IP addresses
Many attackers work to avoid getting put on blacklists in the first place by periodically changing their IP address. Criminals may have a range of addresses that they use, enabling them to swap addresses if they find that one is blocked. These changes also make it more difficult to track attackers, reducing the risk of prosecution.
2. IP spoofing
In case of network layer attacks (e.g. DDoS attacks that don’t require a full three-way TCP connection), attackers can use IP spoofing to make it appear as though they are connecting via a different IP address. This enables them to bypass blacklisting while obscuring their identity. It can also enable them to trick monitoring systems into thinking that compromised credentials are being used legitimately.
Many attackers operate massive botnets, including thousands to millions of end-user devices or Internet of Things (IoT) devices. The attackers compromise these devices and take control over them, or in many cases, rent a botnet as a service on the dark web.
Due to the increased availability and size of botnets, many attacks are performed using very large numbers of IP addresses, which may constantly change as devices join and leave the botnet. IP blacklists cannot defend against this attack scenario.
4. False positives
False positives are another challenge you might face when implementing blacklists. Although not related to attackers or security, these challenges can still interrupt productivity.
5. Inaccurate IP detection
Another challenge is if you have multiple individuals using the same IP address. When IP addresses are dynamically assigned you have no way of knowing who the end-user currently using an address is. This means that if you block one user due to abusive actions, you may accidentally prevent a legitimate user from accessing your network in the future.
Reputation Intelligence: The Next Generation of IP Blacklists
Due to the challenges associated with blacklisting, this method is not particularly effective for modern security practices. Instead of blacklisting, security teams can use reputation intelligence. Reputation intelligence is data about users or cyber entities that can be applied to restricting or allowing activity via web application firewalls (WAFs).
Reputation intelligence data provides additional context about user behavior, letting you cross-verify suspicious behavior sequences with historical information about the IP ranges users are connecting from. This helps security teams identify threats based on this information and reduces the need to individually evaluate every network event.
In particular, reputation intelligence can help you identify and block the following entities:
- Malicious IP addresses—IPs known to be used in attacks.
- Anonymous proxies—users coming from proxy servers that hide their IP information.
- TOR networks—resource sharing user networks that can be used by attackers to disguise the source of traffic.
- Phishing URLs—URLs of sites known for phishing attacks.
- Comment spammers—IP addresses of users known to spam content or messages.
What Information Can Reputation Intelligence Provide?
Reputation intelligence provides information that can help you narrow down who potential attackers are, and can be applied to effectively distribute your network security resources. Below is the type of information that you can gain.
A risk score is determined for each IP accessing your network. This score is based on the activity of the IP address during the last two weeks. As the number and severity of attacks performed by an IP increases, the risk score also increases.
Details about attacks performed by a specified IP address include:
- Associated organization name and ASN
- Number of requests sent in the last two weeks
- Known attack methods used by the IP
- Known targets of attacks stemming from the IP
Geographical targeting represents information on where attack targets are located. This information can help you determine if you are likely to be the target of a particular IP based on its attack history and location preference.
Imperva Reputation-Based IP Filtering
Imperva provides reputation intelligence capabilities that fill the gaps left by traditional IP blacklists. Instead of constantly worrying about IP spoofing, alternating botnet IPs, search engine crawlers, and false positives, you can leverage the power of Imperva’s advanced bot protection management tooling.
Imperva’s reputation intelligence provides you with the information needed to compile an accurate profile of traffic. For each IP, you get the following details:
- Risk assessment—this score is calculated by Imperva researchers to help you better understand the maliciousness level of each IP. Using this information, you can more accurately prioritize response mitigation.
- Attack types and tools—provides information about IP attack types, including the tools used during the attack.
- Attack scope—you get increased visibility into the range and perimeter of the attack, including attacked industries, geographical targeting, and violations.
- API integration—Imperva’s Reputation API can support your in-house dashboards and workflows. This integration automatically delivers reputation intelligence to your WAF, enabling you to consume reputation intelligence on a continual basis.
Once you get a detailed profile of each IP, you can then take the appropriate action. You can use reputation intelligence to block threats, perform forensics, and build compound policies. If you set your WAF to blocking mode, based on Imperva’s reputation intelligence, you can even achieve a low-to-zero false-positive rate.