One of the themes of this blog is that IP reputation - when delivered in an actionable form the way we do at ThreatSTOP - can protect against threats that you had no idea existed. There's an interesting Reuter's report that explains the problem:

"Our largest fear ... is the zero day attack," said Sherrill Nicely, the CIA's deputy chief information officer. "It's very, very, very difficult to protect oneself from an attack that you did not know was coming or the vulnerability that you did not know existed."

Sherrill Nicely is correct in saying that there is no guaranteed protection, but ThreatSTOP can definitely help because the bad guys reuse the same IP addresses from one attack to another.

They have to because there aren't many service providers that won't clean things up once they realize their network/servers etc. are the source of attack. Now it is true that the clean up often takes time but in a month or six most service providers that also have legitimate non-criminal clients will clean up and then make sure that they don't get fooled again. They do this because having the reputation as a fount of malware gets a provider shunned, so his legitimate customers have problems sending mail, getting web visitors etc. The result is that an IP address that is seen as a malware dropper last week will be a botnet C&C host this week and a recon bot or spammer next week. And next month it will be a phishing site and then the cycle repeats until the SP roots out his criminal customer(s).

One of the reasons why we have recently provided a 5 nation geographic block feed covering Eastern Europe is that these countries (or their service providers) are doing a poor job of policing their customers. Combine this with the fact that very few organizations outside their actual neighbors are likely to have any legitimate reason to communicate with computers in these countries and hence it may not be worth taking the risk to talk to any of the computers in those countries. Likewise a lot of people may find it useful to block China. A clinic or a small lawyers office in the middle of the USA (say) is highly unlikely to have any reason to talk to something in China.

Another example - this one of the classic recidivist - the IP address that is our number worst of the web for today (June 19, 2011): 208.73.210.29

First Identified Most Recently active Present in the following feeds:
2010-10-01 06:00:01
2010-10-01 18:00:19
2010-10-29 08:01:11
2010-11-01 18:01:12
2010-11-29 12:01:08
2010-12-08 18:03:35
2011-02-16 20:00:54
2011-03-08 10:00:04
2011-06-14 01:00:35
2011-06-19 17:11:40
2011-06-18 20:14:14
2011-06-19 17:15:23
2011-06-19 18:28:56
2010-12-10 14:03:41
2011-02-24 02:00:40
2011-06-15 04:00:13
ZeuS Blocklist

Blade URL Lists

Parasites, Hijackers and Spyware Domains

DSHIELD Top 4000

Autoshun Block List

PhishTank

SpyEye Blocklist

AMaDa C&C IP Blocklist

This address is currently in 6 feeds but over the last few months has also been in 2 more and will probably remain in those and others until eventually oversee.net decides that it really had to take action (Oversee.net currently has 17 addresses in our list our of some 3500-4000 total).

But this sort of recidivism is extremely common and is why the chances are that any zero-day will be blocked by ThreatSTOP. The zero-day will use an address we already know about at some point and we will block - and log - the attempted communication to/from that address. Hence IP reputation, as delivered by ThreatSTOP to our subscribers' firewalls, is the effective defense against unknown zero-day attacks.