Enriching IP Blacklists Using a Reverse IP/DNS Database

Read the original article: Enriching IP Blacklists Using a Reverse IP/DNS Database


Every organization faces two kinds of cyber threats daily — “known” and “unknown” ones. Known threats are those that security experts have discovered, often published in blogs and major news outfits with accompanying indicators of compromise (IoCs). Unknown threats, meanwhile, are those that remain hidden to victims and researchers. IoCs for these have yet to be identified and disclosed.

One way to detect unknown threats is by using known IoCs as a starting point. That is possible through blacklist enrichment. That said, enterprises may find it useful to dive deeper into their existing blacklists to discover attackers’ entire digital footprint using a harmful or downright malicious IP address as an input. We show how to do that in this post aided by a reverse IP/DNS database.

Find Otherwise-Hidden Connections to Malicious Domains

To illustrate, we obtained a list of the 20 most recent malicious IP address additions (as of 30 September 2020) to the AbuseIPDB database, which include:

IP Address Number of Citations for Malicious Activity
158[.]69[.]110[.]31 8,870
141[.]98[.]9[.]165 3,038
222[.]186[.]30[.]112 3,036
91[.]204[.]248[.]42 2,311
106[.]12[.]92[.]246 2,264
180[.]76[.]186[.]109 1,253
147[.]135[.]135[.]111 1,133
171[.]34[.]78[.]119 467
116[.]233[.]19[.]80 454
106[.]13[.]177[.]53 444
209[.]97[.]166[.]234 139
119[.]28[.]223[.]229 48
59[.]42[.]39[.]125 27
113[.]173[.]192[.]117 2
123[.]27[.]89[.]50 2
180[.]120[.]211[.]191 2
206[.]189[.]72[.]161 2
141[.]98[.]9[.]166 1
156[.]199[.]196[.]137 1
222[.]138[.]49[.]79 1
General Findings

Initial analysis of the IP addresses cited for violations revealed the following:

  • Nine out of the 20 IP addresses were based in China according to their IP geolocation.

  • 158[.]69[.]110[.]31 was cited the most number of times (8,870 times to be exact) for a variety of malicious activities.
  • The top 3 reasons for malicious citations were hacking (18 IP addresses), File Transfer Protocol (FTP) brute force (17 IP addresses), and brute force (16 IP addresses).

A Deeper Dive into the Digital Footprint of a Malicious IP Address Using Reverse IP/DNS Database

While IP-level blocking could protect organizations from the threats that any malicious IP address such as 209[.]97[.]166[.]234 can bring, it may not be sufficient or optimal. An alternative or complementary approach would be to seek and block domains or subdomains connected to malicious IP addresses though only after confirming these are harmful.

Our reverse IP/DNS database, for instance, showed that 209[.]97[.]166[.]234 resolved to the following domains and subdomains at some point in time:

  • mx12[.]collision48419[.]tokyo on 19 August 2020
  • coingnu[.]com on 27 November 2019
  • khun-teee[.]com on 28 August 2019
  • naitinoi[.]com on 20 August 2019
  • rhicavipz[.]me on 30 November 2018
  • manage-apleid[.]ddns[.]net on 26 November 2018
  • anumase[.]ddns[.]net on 25 November 2018
  • appleidmanage[.]ddns[.]net on 25 November 2018
  • hmmjembod[.]sytes[.]net on 25 November 2018
  • applelockedreview[.]myvnc[.]com on 25 November 2018
  • tools[.]hackers[.]moe on 2 November 2018
  • openph[.]org on 5 July 2018
  • staging[.]openph[.]org on 5 July 2018

Users can check these entities using a threat intelligence platform or publicly available threat databases to see if any related domains or subdomains may require blacklisting. From the list above, for example, we found that appleidmanage[.]ddns[.]net was dubbed malicious on VirusTotal.


Organizations that only rely and block access to and from known IoCs might miss out on the opportunity to bolster their cybersecurity. The identification of dangerous properties that may represent yet unknown threats is possible by subjecting malicious IP addresses to further checks using a reverse IP/DNS database.


Read the original article: Enriching IP Blacklists Using a Reverse IP/DNS Database