Author: Pierre Le Bourhis

10 April 2017 / / Articles

Netblocks identification

These days, many security equipments such as Host based Intrusion Detection Systems (HIDS), Network Intrusion Detection Systems (NIDS) and Anti-Viruses (AV) rely on Indicators Of Compromission (IOC) to struggle against violation of security policy. An IOC relies on attributes such as malicious email addresses, domain names, file hashes and IP addresses to model a compromission. Among all these attributes, the malicious IP address is one of the simpler and therefore often use in the network defense process. For example, firewalls can leverage IOCs to forbid any communications between its assets and malicious IP addresses. Unfortunately, shared hosting make possible that multiple domain names match a single IP address. Consequently, an analyst may produce coarse grained IOCs if he didn’t identify that only a subset of the services hosted by an IP is malicious. Such IOC can be disastrous for a company if vital services get banned because of this false positive.

To limit the risk of false-positive, an analyst must determine precisely if the collected IP address is potentially exploited by one or many websites. Moreover ensure that all other associated web sites are malicious! This type work is tedious and can be reduce the following question: “Is it a shared IP address?”

This article details a solution to confirm that an IP address is used by a shared host.