IP Address Blacklisting
BitNinja has created a disruptive technology so there are some concepts that are important to understand in order to comprehend the way BitNinja works.
IP reputation is a very effective way of securing a server. It’s a database with information about various IPs in the world. BitNinja clients use IP reputation information automatically on servers to make security decisions and to find out more about an IP address.
Every server with BitNinja can detect and defend a wide range of attacks. The server can send gathered incident information to our central database. Based on the type, timing, and amount of incidents an IP has in the database, it is categorized into one of the following lists.
If there is no information about an IP address, or based on the latest behavior the IP is not listed and the IP address can therefore access all sites and ports as normal.
In traditional IP reputation terminology, we differentiate black and white lists. An IP can be trusted (whitelisted) or absolutely denied (blacklisted). This concept is very inflexible and this is the cause of the bad reputation that IP reputation lists have. If an IP is false-positively blacklisted, its incredibly frustrating that the user of that IP address can’t access the system they want to use and have to undergo an extensive process to whitelist, or remove that IP address reference.
That’s how the concept of greylisting was created.
A greylist is the concept of a list of IPs we deem to be malicious but we are not completely sure of it yet.
The greylist contains suspicious IPs that the BitNinja software handles with special care. BitNinja has different CAPTCHA modules for different protocols. The duty of a CAPTCHA module is as follows:
- Decide if the user is human or not
- Inform the user about the fact that his/her IP has been greylisted
- Provide a safe way for the user to delist his/her IP
- Save any requests made by non-human parties, growing the knowledge base about the IP and the sin list.
- Honeypotting by pretending to be a vulnerable system so bots will try to connect
If there are suspicious incidents derived from an IP address, the IP can be greylisted by some users. If an IP is user-greylisted, it means it is only greylisted by some users, not all BitNinja users. When we have enough information about an IP that is sending malicious requests, we move it to the global greylist. If an IP is globally greylisted, it is greylisted by all BitNinja servers.
If your IP address is greylisted, you will see something similar to a generic reCAPTCHA to protect our servers and help in the fight against malicious systems.
If there is enough evidence that an IP is suspicious, the IP address is moved to a global greylist which is then distributed to every BitNinja protected server.
When an IP is globally greylisted and is still sending malicious requests, we identify it as dangerous. Such IPs are moved to the global blacklist maintained by BitNinja. Any traffic derived from this list will drop packets entirely, causing a timeout. The false-positive rate of the global blacklist is very low, as there are many steps before we request a blacklist on an IP. Blacklisted IPs are moved back to the greylist from time-to-time to check if the traffic is still malicious or the system has been disinfected.
The essential list provides protection against the most dangerous IPs. These IPs are often used by the most aggressive hackers all around the world. When an IP generates more than 5000 malicious requests, BitNinja places it on this list. The essential list forms part of the protective layer, defending you and your clients from some of the world’s most aggressive cyber attacks.