One of the most interesting questions we get asked at TheatSTOP concerns how long an IP address remains bad once it has been identified as such. Each threat list treats its IPs slightly differently, so the answer is not completely straightforward and varies depending on which list the IP is on. Moreover, many lists do not display specific "first seen" or "last seen" data on each IP address, but rather simply list the currently active IPs (where “active” typically means that they have been identified as bad within the last week or so). Possibly worse for our questioners, some of the threat sources we use are distributed under terms that prohibit us from answering the question.
However, the DShield organization makes their top N lists public, and these lists contain the first and last seen dates, making it possible to analyze that data to figure out how long an IP address remains bad. For our analysis, we have taken a few DShield malicious IP lists. Let's start with DShield Top 100 – here is the breakdown from yesterday:
This list contains the top 100 absolute worst IPs that DShield has recently encountered. As you can see, 15% of the IP addresses in this list remain bad for over a month while about a fifth are only seen for a week or less, and only 3% disappear in one day or less. Our Security Research team has run these numbers daily for the last month, and the numbers, while they vary a little, remain quite consistent.
If we expand the list though, we can see that many bad IPs pop up and disappear from it quickly, with 73% of them staying on the top 1K list for a up to a week:
So what does this mean about blacklists? Well, as the numbers show us, manual blacklist maintenance is clearly ineffective and a thing of the past. Chances are that by the time you manually add an IP address to a blacklist, the IP may very well have already been fixed. Checking in on your lists and to update them once a month, once a week, or even once a day just isn't enough anymore. On top of that, having repaired IP addresses in your lists can lull you into a false sense of security, and can cause major user satisfaction issues when a user tries to interact with one of these IP addresses - the infamous false positive problem.
But here's the thing - blacklists provide an extremely strong line of defense against cyber attacks and malware. If composed and updated properly, they can block almost all known attacks and the malicious infrastructure being used in real-time, as their indicators of compromise are being published. The fact that a blacklist needs to be kept up to date does not invalidate the utility of the concept, it just means you need something like ThreatSTOP to automatically update threat blacklists on a timely basis so that you get coverage against the short-lived threats while they are active. ThreatSTOP's aggregates the most updated indicators of compromise from over 900 threat feeds, including both human and machine curated IP addresses and domains.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?