There are a number of IP Reputation services available for public consumption.  A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September.  Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many facets of an IP.  While their host-reputation API provides an adequate replacement for Packetmail, what got my attention was another Neutrino API, ip-blocklist, which, in my opinion, can be used as a wet finger estimate of potential badness of any IP.  

Once you have signed up for a Neutrino user-id and API Key, you can access the APIs through a web interface or programmatically via the APIs.  The free API account is limited by the number of queries per day, but provides enough capability for the casual user who just wants to check out an IP.  

According to the ip-blocklist API documentation:

"IP blocklist will detect the following categories of IP addresses:

  • Malware and spyware
  • Criminal netblocks
  • Tor nodes
  • Proxies and VPNs
  • Spiders
  • Bots and botnets
  • Spammers
  • Exploit scanners"

The people at Neutrino do the aggregation of the various blocklists (including DShield) and provide you an easy way of measuring the general badness of an IP.  So the next time you see an IP scanning your webserver you can run it through the Neutrino ip-blocklist API and get an idea of how nasty others think it is.

I threw together a quick python script (included below) to use the Neutrino ip-blocklist API. When the script is run for an IP on Daniel Austin's Tor Node list the resulting output is:

$python ipblocklist.py 1.172.112.36

Neutrino Blocklist Service

IP:  1.172.112.36
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-12 17:27:10
Proxy:  False
Tor:  True
VPN:  False
Malware:  False
Spyware:  False
Dshield:  False
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'tor']
 

When run for an IP on the DShield Blocklist the resulting output is:

$python ipblocklist.py 196.52.43.0

Neutrino Blocklist Service

IP:  196.52.43.0
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-11 17:25:16
Proxy:  False
Tor:  False
VPN:  False
Malware:  False
Spyware:  False
Dshield:  True
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'dshield']
 

Sorry, I was unable to find any nastier IPs to show the results, but I think you can see the potential.

---------------------- ipblocklist.py script -------------------------------------

#!/usr/bin/env python
#
import sys, getopt, argparse, requests, json
import urllib, urllib2
import time

def ipblocklist_host(ip):

   NEUTRINO_URL = 'https://neutrinoapi.com/ip-blocklist'
   NEUTRINO_USERID = '<YOUR-NEUTRINO-USERID>'
   NEUTRINO_API_KEY = '<YOUR-NEUTRINO-API-KEY>'

   NEUTRINO_PARAMS = {
      'user-id': NEUTRINO_USERID,
      'api_key': NEUTRINO_API_KEY,
      'ip': ip
   }

   req = urllib2.Request(NEUTRINO_URL, urllib.urlencode(NEUTRINO_PARAMS))
   response = urllib2.urlopen(req)
   result = json.loads(response.read())

   print "\n\nNeutrino Blocklist Service\n"
   print "IP: ", result['ip']
   print "On Blocklist: ", result['is-listed']
   print "Number of Blocklists: ", result['list-count']
   print "Last Seen: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(result['last-seen']))
   print "Proxy: ", result['is-proxy']
   print "Tor: ", result['is-tor']
   print "VPN: ", result['is-vpn']
   print "Malware: ", result['is-malware']
   print "Spyware: ", result['is-spyware']
   print "Dshield: ", result['is-dshield']
   print "Hijacked: ", result['is-hijacked']
   print "Spider: ", result['is-spider']
   print "Bot: ", result['is-bot']
   print "SpamBot: ", result['is-spam-bot']
   print "ExploitBot: ", result['is-exploit-bot']
   if result['list-count'] > 0:
      print "List of Blocklists: \n", result['blocklists']

   return;

def main():

   parser = argparse.ArgumentParser()
   parser.add_argument('IP', help="IP address")
   args=parser.parse_args()

   ipblocklist_host(args.IP)

main()   # invoke main
 

P.S. I only use Python for quick and dirty tools for personal use. I am sure this script could be written a whole lot better by someone with actual skill in Python. (-;

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
FreeBSD TCP Reassembly CVE-2018-6922 Denial Of Service Vulnerability
 

Posted by InfoSec News on Nov 12

https://www.theregister.co.uk/2018/11/08/gdpr_usa_congressman/

By Shaun Nichols
The Register
8 Nov 2018

The rash of high-profile IT security breaches, data thefts, and other
hacks that have erupted over the last year or so may push US legislators
to consider laws similar to Europe's privacy-protecting GDPR.

This is according to Representative Will Hurd (R-TX), who told attendees
at the Aspen Cyber Summit in San Francisco today that...
 

Posted by InfoSec News on Nov 12

https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/

By Brian Krebs
Krebs on Security
November 7, 2018

KrebsOnSecurity recently had a chance to interview members of the REACT
Task Force, a team of law enforcement officers and prosecutors based in
Santa Clara, Calif. that has been tracking down individuals engaged in
unauthorized "SIM swaps" -- a complex form of mobile phone fraud that is
often used to steal...
 

Posted by InfoSec News on Nov 12

https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/

By Catalin Cimpanu
Zero Day
ZDNet News
November 8, 2018

On Monday, the Cyber National Mission Force (CNMF), a subordinate unit of
US Cyber Command (USCYBERCOM), set in motion a new initiative through
which the DOD would share malware samples it discovered on its networks
with the broader cybersecurity community.

The CNMF kicked off this new...
 
Multiple VMware Products CVE-2018-6982 Information Disclosure Vulnerability
 
Google Chrome V8 Out of Bounds Memory Access Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status