You don’t like it when the FBI knocks on your door at 6 a.m. Surprisingly, neither does your usual cybercriminal. That’s why they hide (at least the good ones) behind layers of proxies, VPNs or TOR nodes, for example.
Your IP address is never directly exposed to the target’s computer. Cyber criminals always use third-party IP addresses for their attacks.
There are countless ways to carry out cyber attacks. But they all have one thing in common. The need for a pool of IP addresses as a medium. Criminals need IP addresses to perform distributed denial-of-service attacks.
Criminals need IP addresses to hide themselves when spying on services. Criminals need IP addresses to attempt brute force attacks. Criminals need IP addresses to run bot networks and services. In short, criminals need to control IP addresses for pretty much everything. It is their most important asset and the ammunition they need for attacks.
So how do cybercriminals get these notorious IP addresses and how much does it cost them? Here are some examples.
Hijacking of machines and especially networks of IoT devices. Poorly secured and managed fleets of IoT devices with default credentials and outdated firmware are the perfect target for this. Easy way to zombify large numbers of devices, freshly served for DDoS attacks… hey “smart” security cameras… we’re watching you!
“VPS are cheap”
Take any cloud provider, launch some instances, install bots for scanning and try Log4j injections. At a limited cost, you have your bot network to scan targets for vulnerabilities. At some point you will of course be flagged or the provider may catch you. But you can replicate your approach with cloud providers in other countries, maybe less in terms of using these VPS…
‘Into the Darkness’
You can also go to the criminal supermarket, aka. “Dark Web” and acquire a network of bots to perform attacks like DDoS for a few hundred dollars. Script kiddies, welcome.
Two takeaways from these approaches:
While acquiring IP addresses is not impossible, it does cost money, time, and resources. If you mess with this, you’re manipulating a criminal’s ability to do their job efficiently. Block known IPs used by criminals and you could drastically increase the security of your online assets.
These bots and scan automation activities create a lot of internet background noise. Imagine all these myriad botnets scanning IP space for various nefarious purposes. This is known as “alert fatigue” among SOC analysts, meaning that this generates a large amount of data without much value, but analysts need to take this into account.
But good news everyone, there are solutions that make life harder for cyber criminals.
IP reputation is part of the solution. Suppose users can preemptively assess the risk of an IP connection to a service. In this case, it can lock out known malicious users and ensure that those IPs can no longer harm anyone, effectively taking away the pool of IP addresses that criminals have spent time and money to build up.
At CrowdSec, we love experimenting: we set up two identical VPS with a well-known cloud provider, using two simple services, SSH and Nginx. Nothing special, just like millions of machines out there in the wild. Both have CrowdSec installed to detect intrusion attempts. Still, one machine had the Remediation Agent (IPS) that received IP reputation information from the CrowdSec community (1 million signals shared daily) and preemptively banned marked IPs.
The result was pretty stunning.
Thanks to the community blocklist, the machine with IPS preemptively blocked 92% of attacks compared to the machine without IPS. This is a remarkable increase in security level.
You can find more about the methodology and the detailed results at: https://crowdsec.net/
Community IP blocklists – with the previous curation – take care of both challenges.
It paralyzes criminals by nullifying their IP address pool. They’ve spent time, money, and resources building them, and we as a community are taking them away in the blink of an eye. Take this scum!
But it also makes life for analysts and cybersecurity professionals a lot easier. By preemptively blocking these nefarious IPs, background noise is greatly reduced. We’re talking about reducing the alerts that need to be analyzed by SOC staff by 90%. That’s a lot more time to focus on more important alerts and issues. alarm fatigue? – Bye Bye.
If you want to participate in the largest IP reputation community and hunt down nefarious IP addresses while effectively protecting your online resources, join us at crowdsec.net