Of Cybercriminals & IP addresses

Cybercriminelen en IP-adressen News

You don’t like having the FBI knocking on your door at 6 am in the morning. Surprisingly, nor does your usual cybercriminal. That is why they hide (at least the good ones), for example, behind layers of proxies, VPNs, or TOR nodes.

Their IP address won’t be visible to the targeted machine. To deliver attacks, cybercriminals will use IP addresses from third parties.

There are countless ways to deliver cyberattacks. All of these methods have one thing in common. A pool of IP addresses is needed to act as a medium. To deliver distributed denial-of-service attacks, criminals require IP addresses.

Criminals require IP addresses in order to conceal their identities when they use probing services. Criminals need IP addresses to attempt brute force attacks. Criminals need IP addresses to run bot networks and services. In a nutshell, criminals need to maintain IP addresses under their control for pretty much anything. It is their most important asset and is the ammo they need to deliver attacks.

How do cybercriminals gain access to these infamous IP addresses and how much does it cost? These are just a few examples.


Hijacking machines and more specifically networks of IoT devices. IoT devices that are not properly secured or managed and have outdated firmware and default access credentials, make perfect targets. It’s easy to zombie large numbers of devices.

“VPS are cheap”

Take any cloud provider, fire up some instances, install bots to scan & attempt Log4j injections. You can have your bot network scan target targets for vulnerabilities at a low cost. You might be flagged by the provider or caught. But you can replicate your approach with cloud providers in other countries, maybe less regarding the usage of those VPS…

‘Into darkness”

They can also go to the supermarket for criminals, aka. “dark web” and acquire a network of bots to deliver attacks like DDoS for a couple of hundred dollars. Script kiddies, welcome.

Two take-aways from these approaches :

Acquiring IP addresses is not difficult, but it can be costly and time-consuming. Tamper with that, you tamper with a criminal’s ability to do his job efficiently. Ban known IPs used by criminals and you might just drastically increase the security of your online assets.

Those bots and scan automation activities generate a lot of internet background noise. All those botnets that scan the IP space looking for various nefarious purposes. This is well known by SOC analysts as “alert fatigue”, meaning, this generates a large amount of data, without much-added value, but that analysts still need to take into account.

But, good news for all cybercriminals: there are ways to make their lives more difficult.

IP reputation can be part of the solution. Imagine users being able to prevent an IP from connecting to a service. It can then lock out malicious IPs and ensure that they are not able to harm anyone, effectively taking the IP address pool of criminals away.

At CrowdSec, we did fun experimenting: we set up two identical VPSs on a well-known cloud provider, with two simple services, SSH and Nginx. Nothing fancy, just like millions of machines out there in the wild. CrowdSec installed CrowdSec on both machines to identify intrusion attempts. Still, one machine had the remediation agent (IPS), receiving IP reputation information from the CrowdSec community (daily 1 million signals shared) and preventively banning flagged IPs.

The result was quite stunning.

Thanks to the community blocklist, the machine with the IPS preventively blocked 92% of the attacks compared to the machine without the IPS. That is a notable increase in security level.

You can read more about the methodology and detailed results at: https://crowdsec.net/

Source: crowdsec.net

Community IP blocklists – with the previous curation – take care of both challenges.

It disables criminals through nullifying their ISP address pool. These criminals spent time and money to create them. We, the community, take them all away in a flash. Take that scum!

But it makes life easier for analysts and cybersecurity professionals. The background noise can be significantly decreased by blocking nefarious IPs. We are talking about reducing by 90% the alerts that need to be analyzed by SOC people. That is much more time to focus on more significant alerts and topics. Are you suffering from alert fatigue? – bye-bye.

Join crowdsec.net

to join the largest IP reputation network and find nefarious IP addresses, while protecting your online assets.

Rate author