Tracking Unsafe Services that are Hosted by Bots using IP Reputation
In this talk, we present a system to identify and track unsafe services that are hosted on bots. The system operates by identifying services whose hosting IP address was marked as a bot by an IP reputation threat intelligence due to engaging in cyber attacks (e.g., D-DoS), and that the hosting IP is not shared with other web services. The system was implemented using Akamai’s IP reputation system that interacts with over 1.3 billion devices on a daily basis, and identify bots if they issue cyber attacks against websites that are hosted on the Akamai CDN platform which serves up to 30% of the world’s entire web content. Among others we focus on machines involved in D-DoS attacks, SQL injections and account takeovers campaigns. After acquiring the IP address of the bots, we scan over 2.2 billion daily DNS queries that go through the Akamai platform to identify domains that are uniquely resolved to the bots’ IPs and mark these domains as unsafe for use. The system results in thousands of unsafe domains on a weekly basis that are constantly tracked for analysis and active protection.