Subscribe to Bloggers speak out on BradReese.Com

Can IP host reputation systems protect against the Russian Business Network?

IP host reputation is becoming popular in 2012 because of the enormous amount of false positives caused by threat detection systems.

Tue, 2/28/12 - 10:26am    View comments

I'm Mike Patterson, the Founder and CEO of network performance monitoring software vendor Plixer International, a registered Cisco developer within the systems management technology category.

Who is this friend?

Has your daughter or son ever wanted to have a play date with another child that you were not familiar with? Did you want to know the background of the new friend, maybe even a bit about his or her parents? Do the parents have good jobs, are they convicted criminals? What does their home or cars look like? The answers to these questions help you decide how or whether or not you will even let the play date occur. Taking a similar approach with the Internet hosts that internal hosts want to communicate with is much more difficult to investigate.

IP host reputation systems allow companies to check on who their internal hosts want to communicate with. For example, what if one of your servers wanted to make some connections with hosts on the Russian Business Network (RBN). Would you knowingly allow it? If you could take the time, wouldn't you want to look into why the connection needs to take place? Unfortunately, given the number of connections on most networks, checking on every host your users want to connect to isn't as easy as checking on a child's new friend.

Many companies assume that not all hosts on the RBN are bad:

• Sometimes good hosts turn into bad hosts.
• Other hosts are routinely infected and then cleaned up.

How good sites become bad sites

Attackers sometimes stitch malicious programs created with programs like Mpack into the fabric of legitimate Web sites which may not be on the RBN, but have been hacked. When a visitor arrives at such site with a Web browser that is not equipped with the latest software security updates, the site silently installs a password-stealing program on the visitors computer. The victim's stolen data is then regularly forwarded on to a "drop site" pre-arranged by the attackers -- in the case of the Mpack authors, a set of Web servers residing on RBN.

Some DDoS attacks originate from the RBN or gain information from the hosts residing on them. When DDoS attacks occur, service providers have to pay upstream Internet providers more money caused by unaware users chewing up excessive bandwidth. Because of this, some providers are not blocking the entire RBN to save money, to save man hours and to prevent headaches caused by chasing down and stopping attacks associated or triggered by RBN traffic.

"Our instances of spam and infected machines dropped exponentially," said one service provider after blocking the entire RBN. He went on to say that prior to the RBN blockade, the employer was receiving between 30 to 40 alerts each week from other ISPs complaining about phishing sites hosted by machines on his company's network. In the two weeks following the blocking of RBN, the service provider said they received a total of just three complaints of phishing sites on his network.

IP host reputation tools help

I found an IP address lookup tool by LinuxMagic.com that's useful for running an IT background check against an IP address. It qualifies an IP by comparing a host to multiple black lists. Although its effective, looking up each host is a cumbersome process because of the massive amounts of hosts detected and an even greater amount of false positives, so one off look up tools like it are often not used.

A commercial host reputation/behavior score utility called WatchGuard provides a dashboard which lays out the countries, IP addresses and types of threats seen on the network. Also, I found a host reputation database called SenderBase which allows you to look up IP addresses and it provides a dashboard. I'm sure these tools provide some sort of database which can be imported into your routers empowering them to block connections to bad hosts.

Some hardware vendors such as Juniper and Vyatta are implementing cloud ip reputation services from vendors like ThreatSTOP. Firewall vendors are following suit. We tested a similar strategy on our little Cisco router and when the list of bad IP addresses climbed to over 8K, the router slowed to a crawl.

NetFlow security threat detection

A utility called tcpflow captures data transmitted as part of TCP connections (flows) and stores the data in a way that is convenient for protocol analysis and debugging. The key to utilities like this is that hosts flagged as 'bad' should be updated and aged out. Otherwise the lists of bad IP addresses grow too large and quickly become out of date.

NetFlow analysis vendors such as Plixer have started checking both the source and destination IP addresses of flows against a regularly updated known threats database. Hosts that trigger alarms can be auto added and aged out on routers and switches to help avoid trouble. This approach greatly reduces the amount of proactive action on the part of the local network and security administrator.

IP reputation for detecting threats summary

Why is IP host reputation becoming popular in 2012? Because of the enormous amount of false positives caused by most if not all threat detection systems. Hosts with bad reputations are often confirmed by more than one service provider and the lists are kept up to date. In other words, the data is usually reliable.

IP host reputation systems will probably be used along side of traditional threat detection systems by providing another layer of security. By using IP host reputation databases, corrective action can be automated which means less false positives, headaches, time lost and theft.

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis

What's your take?

Subscribe to Bloggers speak out on BradReese.Com

1. Competitive vendor analysis: 10GbE and 40GbE switches by chassis and rack - Darius Goodall
2. January 2012 Cisco CCIE count
3. Monitoring cloud services with Cisco's Flexible Netflow - Mike Patterson
4. Cisco's Q2'FY12 switching, routing, collaboration revenues and product gross margin sequentially declined
5. Cisco's historical financial statements confirm -$809 million discrepancy in security sales
6. Why did Cisco deflate its FY11 security product sales by -$382 million?
7. This story is how the Cisco CCIE program was born - Stuart Biggs
8. NetFlow vs. IPFIX Exporter - Mike Patterson
9. Cisco WebEx NetFlow rap video - Mike Patterson
10. Cisco CEO tries to snow CNN's Poppy Harlow
11. Cisco's copyright complaint killed Marc La Porte's CCIE Hall of Fame
12. Cisco crashes and burns on Fortune 100 best companies to work for list
13. Do Fabrics enable a large and flat Layer-2 broadcast domain? - Douglas Gourlay
14. Has Cisco's top PR executive Terry Anderson bolted?
15. Fabrics are faster: Arista vs. Brocade vs. Juniper - Douglas Gourlay
16. Changing the conversation: It's solutions, not boxes, that matter to enterprises - Jean-Luc Ronarch
17. Threat detection with NetFlow: IP reputation - Mike Patterson
18. Free iPhone and iPad TFTP Server for downloading and uploading Cisco configs - Andy Salo
19. Why is Cisco's top cloud talent bolting?
20. View the archive of Bloggers speak out on BradReese.Com