Presentation by Guy Rosefelt and at APNIC 46 on Wednesday, 12 September 2018.

1. W W W. N S F O C U S . C O M
HOW TO MONETIZE IP REPUTATION
Guy Rosefelt
Dir, Product Management

2. WHAT IS IP REPUTATION
— Botnet
— DDoS
— Scanner
• Automated tools
— Exploits
• Automated tools
— Malware
— Web Attacker
• Human hacking
— Spam Source
— Phishing
— Proxy
— Ransomware
— Score of the malicious behavior of an IP address on the internet
— Tracked at the IP and ASN levels
— Based on how malicious and how often the activity is

3. IP REPUTATION
• IP addresses can be in more than one reputation category, such as being
both Phishing and Spam Source.
• Categorization of IP addresses can change over time based on behavior.
• For example, as additional data is collected an IP address could move
from DDoS (a more general category) to Botnets (a more specific
behavior category).

4. HOW GOOD IS YOUR IP REPUTATION?
Country/Region Num IPs Matched IPs Percent Matched
Vietnam 13,522,176 2,003,658 14.8176%
Iraq 565,504 73,910 13.0698%
Mauritania 41,216 4,362 10.5833%
Pakistan 5,297,152 520,575 9.8275%
Macedonia 681,984 52,091 7.6382%
India 34,168,404 2,493,711 7.2983%
Benin 70,912 4,819 6.7957%
Guinea 16,640 1,119 6.7248%
Marshall Islands 4,608 269 5.8377%
Iran 13,313,901 749,359 5.6284%
Burkina Faso 38,912 2,070 5.3197%
Nepal 507,648 26,806 5.2804%
Lebanon 547,840 28,613 5.2229%
Cape Verde 28,672 1,304 4.5480%
Mali 72,192 3,229 4.4728%

5. JAPAN Top 20 ASN IP REPUTATION
DISTRIBUTION

6. FIJI REPUTATION

7. Country/Region ASN Num IPs Matched IPs Percent
Matched
DDoS %DDoS
United States AS31788 256 1 0.3906 1 100.00
United States AS394573 256 1 0.3906 1 100.00
United States AS22014 256 1 0.3906 1 100.00
United States AS19642 256 1 0.3906 1 100.00
United States AS46982 256 1 0.3906 1 100.00
United States AS33592 256 1 0.3906 1 100.00
United States AS62791 256 1 0.3906 1 100.00
United States AS393685 256 1 0.3906 1 100.00
United States AS395406 256 1 0.3906 1 100.00
United States AS22350 256 1 0.3906 1 100.00
United States AS53859 256 1 0.3906 1 100.00
United States AS35944 256 1 0.3906 1 100.00
United States AS23375 256 1 0.3906 1 100.00
United States AS33199 256 1 0.3906 1 100.00
United States AS22553 256 1 0.3906 1 100.00
United States AS53357 256 1 0.3906 1 100.00
Vietnam AS24174 256 1 0.3906 1 100.00
Vietnam AS131125 256 1 0.3906 1 100.00
Indonesia AS38060 128 1 0.7813 1 100.00
Russia AS12478 16 1 6.2500 1 100.00
BOTTOM 20 GLOBAL ASNS BY DDOS 100%
MATCH
There are 7461 ASNs with 100% DDoS match

9. IP REPUTATION SPOTLIGHT: SÃO TOMÉ AND
PRÍNCIPE
— São Tomé and Príncipe is the smallest nation in
Africa.
• A series of islands located in the Gulf of Guinea off the
west coast of Central Africa
— Economy is predominantly based on agriculture of
cocoa.
— São Tomé and Príncipe has a good landline and
cellular infrastructure with 70% of the population
having access to mobile phones.
• 25.6% of the population have access to the internet

10. IP REPUTATION SPOTLIGHT: SÃO TOMÉ AND
PRÍNCIPE
— São Tomé and Príncipe has two ASNs with a total of 8,704 IP addresses. ASN
AS328191 has the bulk of IP addresses (8,192) and ASN AS327725 just 512 IP
addresses.
— In August, the NSFOCUS IP Reputation databases show 1,043 IPs with reputation
for an 11.98% match. That puts it at #7 in the Top 10 Percentage Reputation
Match.
— Almost all the reputation IPs are categorized as Botnets.
São Tomé and Príncipe August Reputation Data
ASN
Assigned
IPs
Matched
IPs
Percent
Matched Botnets DDoS Other
Spam
Sources Exploits Scanners Malware
AS328191 8192 1039 12.6831 1005 2 0 2 3 16 0
AS327725 512 4 0.7813 2 2 0 0 0 0 0

11. IP REPUTATION SPOTLIGHT: SÃO TOMÉ AND
PRÍNCIPE
— In July only three IPs belonging to the smaller ASN AS327725 had reputation: 1
Botnet and 2 DDoS.
— The data was the same in April.
São Tomé and Príncipe July Reputation Data
ASN
Assigned
IPs
Matched
IPs
Percent
Matched Botnets DDoS Other
Spam
Sources Exploits Scanners Malware
AS327725 512 3 0.5859 1 2 0 0 0 0 0
São Tomé and Príncipe April Reputation Data
ASN
Assigned
IPs
Matched
IPs
Percent
Matched Botnets DDoS Other
Spam
Sources Exploits Scanners Malware
AS327725 512 3 0.5859 1 2 0 0 0 0 0

12. IP REPUTATION SPOTLIGHT: SÃO TOMÉ AND
PRÍNCIPE
— We can assume a massive malware infestation occurred in August based on several
assumptions:
• ASN AS328191 belongs to Companhia Santomense de Telecomunicacoes, a mobile provider
(https://www.cst.st/)
• Companhia Santomense de Telecomunicacoes sells Samsung and Alcatel phones using Android OS
• During August, over 300 apps in the Google Play Store were found to be infected with WireX malware
— Investigation shows that Companhia Santomense de Telecomunicacoes is the
predominant mobile carrier so it is likely that many Android based phones were
infected with WireX this month

13. IP REPUTATION SPOTLIGHT: SÃO TOMÉ AND
PRÍNCIPE
— Further investigation shows that ASN AS327725 belongs to UNITEL STP SARL
(http://unitel.st).
— Although also a mobile provider, many of the IPs in the ASN are Windows
computers and not susceptible to WireX.
• It is possible then that this ASN is primarily residential and commercial internet
users.

14. POSSIBLE ROOT CAUSE OF REPUTATION
DISTRIBUTION
• Malware infections are likely primary cause of all reputation activity
• Smaller ASNs (Class C) may see related infections across contiguous IP
addresses
• Within an enterprise
• Within apartment complex or neighborhoods
• Distribution of mobile devices within an ASN
• Do some ASNs see more iPhone, Android, or Windows 10 devices?

15. WHERE DOES THE MONEY COME IN?
— Provide an IP Reputation Monitoring Service
• Tracks internet IP reputation for customer
• Single IPs, Subnets, ASNs
— Provide real-time monitoring of IP activity
• Automatic email notification of malicious activity
— Provide monthly reports
• Customer reputation activity
• Comparison with ASN
• Comparison in country

16. 126.113.61.66
Reflection DDoS Source
HTTP Protocol (Port 80 )
Two Domains Related
Detection Log

17. WWW.NSFOCUS.COM
REALTIME NOTIFICATION
17
Dear Customer,
You are monitoring the following assets: ASN xxx ASN yyy
The following changes occurred to your asset’s reputation within the last 24 hours.
The number of assets that were removed from the blacklist: 2 IPs: 1.1.1.1
1.1.1.2
URLs: Domains:
The number of assets that were added to the blacklist: 3 IPs: 1.2.1.10
1.2.1.11
1.2.2.10
URLs: Domains:
The number of vulnerabilities and files associated with
assets added to the blacklist:
IP
1.2.1.10
1.2.1.11
1.2.2.10
Number Vuln
3
1
13
Number Files
0
0
5
For more information, please log into your NTI portal account.
Thank you,
NTI Team

18. Case Study: How Good is Your IP Reputation?
Carrier A 2-Aug 5-Aug 10-Aug 12-Aug
Total Number of IPs 170,143,836 170,143,836 170,143,836 170,143,836
Total Matched 24,841 25,389 25,574 25,795
Percentage Matched 0.0146% 0.0149% 0.0150% 0.0152%
Number added 0 661 217 273
Number deleted 0 113 32 52
IP Type
Botnets Count 11872
DDoS Count 60
Exploits Count 9
Proxy Count 1
Scanners Count 30
Spam Sources Count 12863
Web Attacks Count 6
Grand Count 24841

19. 24,200
24,400
24,600
24,800
25,000
25,200
25,400
25,600
25,800
26,000
2-Aug Test 2 Test 3 Test 4
IPs
Date
Number of Matched IPs
Case Study: How Good is Your IP Reputation?

20. Case Study: How Good is Your IP Reputation?
Carrier A Test 1 Test 2 Test 3 Test 4
Total Number of IPs
Total Matched 24,841 25,389 0 0
Percentage Matched 0.0146% 0.0149% 0.0000% 0.0000%
Number added 0 661 0 0
Number deleted 0 113 0 0
Carrier B Test 1 Test 2 Test 3 Test 4
Total Number of Ips
Total Matched 2357 2357 2357 2357
Percentage Matched 0.00600% 0.00600% 0.00600% 0.00600%
Number added 0 0 0 0
Number deleted 0 0 0 0
Carrier C Test 1 Test 2 Test 3 Test 4
Total Number of Ips
Total Matched 4963 4963 4963 4963
Percentage Matched 0.00520% 0.00520% 0.00520% 0.00520%
Number added 0 0 0 0
Number deleted 0 0 0 0
IP Type
Botnets Count 11872
DDoS Count 60
Exploits Count 9
Proxy Count 1
Scanners Count 30
Spam Sources Count 12863
Web Attacks Count 6
Grand Count 24841

21. Case Study: How Good is Your IP Reputation?
Malaysian T-1 Provider 20-Sep
Total Number of IPs 10,251,008
Total Matched 36,795
Percentage Matched 0.3589%
Number added 0
Number deleted 0
IP Type
Botnets 14606
DDoS 764
Exploits 167
Proxy 59
Scanners 500
Spam Sources 20689
Malware 9
Phishing 1
Grand Count 36795

22. Case Study: How Good is Your IP Reputation?
ASN Num Ips Matched Ips Percentage Matched
AS9506 803,584 20,410 2.5399%
AS45143 197,632 2,209 1.1177%
AS3758 617,472 648 0.1049%
AS7700 14,336 76 0.5301%
AS9911 35,584 12 0.0337%
AS7473 97,280 39 0.0401%
AS9255 14,592 1 0.0069%
AS55553 512 0
AS132804 256 0
AS132805 256 0
AS133497 0 0
AS10140 0 0
AS133097 0 0
AS134547 0 0
AS4772 0 0
AS4657 323,328 14,926 4.6164%
AS55430 449,024 1,621 0.3610%
AS10091 475,136 2,137 0.4498%
AS9874 254,464 389 0.1529%
AS45938 2,048 1 0.0488%
AS38861 2,304 0
AS4773 381,696 18,490 4.8442%
AS17547 165,120 1,743 1.0556%
AS132915 0 0
AS45159 0 0
AS17743 0 0
AS17761 0 0
Total 3,834,624 62,702 1.6352%
Top T-1
Singaporean
Providers By ASN
• Total IP:
3,834,624
• Matched IPs:
62,702
• Percentage Matched:
1.6351%

23. Thank You