search

IP Addresses and Domains

hashtag
IP Addresses

One of the ways an adversary can make it challenging to successfully carry out IP blocking is by using Fast Flux.

According to Akamaiarrow-up-right, Fast Flux is a DNS technique used by botnets to hide phishing, web proxying, malware delivery, and malware communication activities behind compromised hosts acting as proxies. The purpose of using the Fast Flux network is to make the communication between malware and its command and control server (C&C) challenging to be discovered by security professionals.

So, the primary concept of a Fast Flux network is having multiple IP addresses associated with a domain name, which is constantly changing. Palo Alto created a great fictional scenario to explain Fast Flux: "arrow-up-rightFast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns"arrow-up-right

hashtag
Workflow

  • Start with RDAP: Confirm netrange, org, ASN, and abuse contacts.

  • Add ASN Context: Check bgpview.io or ipinfo.io for ASN details and role.

  • Check Geolocation: Capture country from at least two sources. Record mismatches.

  • Look for rDNS Patterns: Reverse DNS can hint at hosting type (e.g., *[.]btcentralplus[.]com = UK broadband). Do not base decisions solely on rDNS.

  • Consult Internal Logs: Has this IP appeared in the last 30 days? If yes, in what context?

  • Classify Role: Hosting, residential, CDN, or cloud. Record reasoning.

  • Plan Outreach: If confirmed malicious and in a cooperative ASN, prepare a report for the abuse contact.

hashtag
IP address location tools

LogoIPinfo | The Trusted IP Data Provideripinfochevron-right
https://iplocation.net/iplocation.netchevron-right

hashtag
IP Reputation Check

LogoIntelligence Center - A Real-Time Threat Detection Service || Cisco Talos Intelligence Group - Comprehensive Threat Intelligencetalosintelligence.comchevron-right

hashtag
IP Ownership

The Registration Data Access Protocol (RDAP) is the authoritative source for IP ownership. Unlike commercial GeoIP services or provider marketing pages, RDAP data is maintained by Regional Internet Registries (RIRs) such as RIPE NCC, ARIN, and APNIC. It tells us precisely who has been provided with the netblock.

From RDAP, we obtain:

  • NetRange: The range of addresses delegated.

  • Organisation: The registered holder (e.g., Amazon, Vodafone, TryHackMe).

  • Remarks: Often include whether the block is used for hosting, broadband, or mobile.

  • Abuse Contact: The official mailbox for incident reporting.

LogoRDAP.ORGabout.rdap.orgchevron-right
LogoBGP.Toolsbgp.toolschevron-right

hashtag
If IP is VPN on tor node

IP2Proxy is another vital resource for labelling VPN, proxy, and Tor exit nodes. These are legitimate shared egress points, which can weaken attribution.

LogoIP2Proxy Proxy VPN Detection - Check Proxy & VPN using IP Addressip2proxy.comchevron-right

hashtag
Domain Names

Domain Names can be a little more of a pain for the attacker to change as they would most likely need to purchase the domain, register it and modify DNS records. Unfortunately for defenders, many DNS providers have loose standards and provide APIs to make it even easier for the attacker to change the domain.

Malicious Sodinokibi C2 ( Command and Control Infrastructure) domains:

hashtag
URL Reputation Check

LogoURL and website scanner - urlscan.iourlscan.iochevron-right
LogoIntelligence Center - A Real-Time Threat Detection Service || Cisco Talos Intelligence Group - Comprehensive Threat Intelligencetalosintelligence.comchevron-right
LogoAbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a timewww.abuseipdb.comchevron-right

hashtag
URL Screenshot

LogoURL2PNG - Screenshots as a Servicewww.url2png.comchevron-right
LogoWannabrowserWannabrowserchevron-right

hashtag
Punycode attack

"Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding."

What you see in the URL is adıdas.de which has the Punycode of http://xn--addas-o4a.de/

Internet Explorer, Google Chrome, Microsoft Edge, and Apple Safari are now pretty good at translating the obfuscated characters into the full Punycode domain name.

To detect malicious domains, proxy logs or web server logs can be used.

hashtag
Shortners

Attackers usually hide the malicious domains under URL shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL Shortener link. The attackers normally use the following URL-shortening services to generate malicious links:

  • bit.ly

  • goo.gl

  • ow.ly

  • s.id

  • smarturl.it

  • tiny.pl

  • tinyurl.com

  • x.co

You can see the actual website the shortened link is redirecting you to by appending "+" to it (see the examples below). Type the shortened URL in the address bar of the web browser and add the above characters to see the redirect URL.

hashtag
Any.run Sample

PreviousIOC Extractor ToolsNextNetwork Artifacts

Last updated