Years past, I looked for a resource for checking the trustworthiness for Internet Protocol (IP) address as VirusTotal has become the go-to resource for file hashes and other file-based indicators. While IPs are a different beast altogether since you have considerations like virtual private network (VPN), everchanging, IPs, and I won't even mention the overall aspect of attribution.
About half a decade ago, I took a look at the internet landscape at what was out there to accomplish this check. Some extensions did this check for IPs, but there were very few free services that did this at any scale. I stumbled up a site called AbuseIPDB.
Straight from their website (at time of publishing):
AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
Our mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.
I enjoyed their mission and the community aspect that they enabled, but a particular feature they offered for free is application programmable interface (API) access.
Now they do note on their website that "due to limited resources, free accounts currently have 1,000 requests/day for both IP check and report actions..." That within itself isn't bad for the average person to check a couple of IPs that someone might be concerning. Verified webmasters or anyone that controls their domain that can apply a DNS TXT record is allowed 3,000 requests/day. Since I have had a domain name for 10+ years, this was a no brainer and didn't cost me anything. Lastly, they offer people who support the site even more API requests, and this can also be free. If place an SVG badge on a website you host, then your account will automatically be granted the "supporter" role, this role can boost the check & report limits on the API to 5,000 per day. The badge doesn't need to be on your homepage. The badge can reside on an internal page or even a post like the one you're reading right now.
Note: The number displayed in the badge is a cached value, and updates every day or so.
Once I discovered this site and saw they had an API, I took a look at their documentation, and to my surprise, it was pretty good. To use the API, all you have to do was a basic curl like the following:
curl -G https://api.abuseipdb.com/api/v2/check \ --data-urlencode "ipAddress=220.127.116.11" \ -d maxAgeInDays=90 \ -d verbose \ -H "Key: $YOUR_API_KEY" \ -H "Accept: application/json"
I could have just accomplished this with BASH, but I had other code that I need this work with, and when I could use this in other tooling and reports, I turned my sights to Python. I decided to write a python script to scan and check IPs from files and generate a report from the findings. I initially wrote the infancy of this script in 2015 and decided to include it to GitHub on Dec 10, 2016. The problem I had at the time was the beginning of AbuseIPDB Scanner.
I am by no means a software development engineer (SDE), but I continued to add and make the script better with time and included other file formats. I had some contributors to make the python script better and added some features as well. Beginning with some pure python and regex, the python script now supports JSON, country blocks, and more things as time progresses. To get started, all you have to do is have python3, as well as, git installed and then execute the following commands:
git clone https://github.com/mikebanks/AbuseIPdbSCAN.git pip3 install -r requirements.txt python3 AbuseIPDB.py -i 18.104.22.168
There are many things out there. You should always use a defense-in-depth approach to checking for malicious these things. AbuseIPDB is just one free tool I added to my tool bag. It was something that solved my problem and can scale with an API, and that was affordable. What resources do you use to accomplish the same thing? Do you look at IP reputation? What other tools do you use?