Fighting botnets: Service rates reputation of IP addresses

Startup service provider ipTrust today said it was offering a program that lets businesses avoid botnets and infected machines by letting them know whether IP addresses are linked to suspicious behavior.

The top 10 'most wanted' spam-spewing botnets

By granting access to its database on the known behavior of more than 250 million IP addresses, the company gives customers a means to determine if their own network harbors infected machines that are carrying out malicious activity and whether IP addresses the company comes in contact with are infected, ipTrust says.

The company is a spinoff from Endgame Systems, which has compiled the database and sells similar services to governments. Endgame has close links to Internet Security Systems (ISS), with Endgame’s chairman and CEO Christopher Rouland having served as CTO of ISS and Endgame's COO Daniel Ingevaldson having headed penetration testing there. Rouland is on the board of ipTrust and Ingevaldson is its COO. ISS co-founder Tom Noonan is a member of ipTrust's board.

The company has also won $29 million in Series A funding from investment firms Bessemer Ventures, Columbia Capital, Kleiner Perkins Caufield & Byers and TechOperators.

Initially, ipTrust is offering two services, ipTrust Professional and ipTrust Web.

The first lets customers tap the Endgame database to determine the trustworthiness of IP addresses based on a score from 0 to 1, with 0 indicating a site with no known negative activity, and 1 indicating recent negative activity. This confidence score can be used to help determine how customers treat the sites, Ingevaldson says.

In addition to the score, the service provides a list of specific behaviors that helped determine the score. For example, if an IP address connected to a known botnet command-and-control server today, that would contribute to a bad confidence score. If it connected to the C&C server two years ago and had no other incidents since, the confidence score would better, he says.

Other factors influencing scores include whether the address is part of an Autonomous System or assigned  to an ISP that is suspect.

Customers can use the database to augment their security measures. For example, a business might check the IP address of a machine trying to connect to a corporate network via a VPN to determine whether it has recently exhibited suspicious behavior. IpTrust Professional offers an API to allow customers to fashion connections to it by corporate applications, Ingevaldson says.

The second service, ipTrustWeb, is free and lets users enter a list of IP addresses and sends alerts when any of those addresses demonstrates it has a malware infection. It puts these incidents into perspective by showing, for example, whether infections are in greater concentration in the customer's address range than they are for IP addresses in general. This can give users an insight into what infections are getting past other security controls.

Ingevaldson says that later a premium ipTrust Web service for $1 per IP address per month will offer integration with security incident and event management platforms, offer better alerting and ticketing.

The database these services are based on is compiled from monitoring academic networks, use of honeypots and sinkholes to gather data about malicious networks, vendors that gather security data from intrusion detection systems and commandeering IP addresses of C&C servers.

The company adds 100T Bytes per week to the database. "We have every event we ever collected in our active cluster," Engevaldson says.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags botnetsanti-malware

More about ByersInternet Security SystemsISS GroupLANMicrosoftSecurity Systems

Show Comments