12 Apr Are Threat Actors Everywhere?

Analyzing a blocklist helps find out

– Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Apr. 12, 2021

IP- or even country-level blocking is among the common techniques implemented to support network security. Yet it can be tricky to narrow down cybercrime activities to specific hotspots. To illustrate this point, we gathered a list of IP addresses recorded on a blocklist and studied network owners’ locations using IP WHOIS data.

The blocklist in the study was obtained from Spamhaus’s Don’t Route or Peer (DROP) List as of Feb. 8, 2021, which contains 964 IPv4 ranges at the time of writing. Those IP ranges were either hijacked, leased for spam, or used as part of other cybercrime operations.

While the conclusions drawn in this post are inherently linked to the sampled blocklist, a review of the ranges using IP Netblocks WHOIS Database led us to ask the following questions:

• Which regional internet registries (RIRs) do the malicious IP ranges belong to?
• What entities own the netblocks?
• Are the malicious IP ranges tied to specific countries?

Regional Internet Registry Distribution

Based on the WHOIS records of the first IP addresses of each of the 964 IP netblocks, the top three RIRs are:

• American Registry for Internet Numbers (ARIN)
• Réseaux IP Européens (RIPE)
• Asia Pacific Network Information Centre (APNIC)

A plausible explanation behind ARIN and RIPE having the largest share of the malicious netblocks is that threat actors are increasingly using cloud infrastructure to speed up cyberattacks and hide their tracks. And many cloud computing and hosting providers are set up in North America and Europe, though Asia-Pacific is also home to a number of these companies. Still, IP ranges belonging to African and Latin American RIRs (AFRINIC and LACNIC) are also present, as shown in the chart below.

Chart 1: RIR distribution of IP ranges in the DROP List

Entity Types

RIRs may only have limited interest or ability to monitor IP ranges for malicious activity, as they are involved in a wide array of businesses. However, the entities to which RIRs have assigned the IP netblocks may play an important role in curbing cybercrime.

For one, they could intensify their client verification processes to ensure their allocated infrastructure is not used maliciously. At the very least, knowing who owns the distributed IP ranges can help cybersecurity investigators and law enforcers during takedowns.

For the DROP List used in the study, the Autonomous System (AS) names and NETNAMEs of the IP ranges reveal that most of the owners are cloud or hosting service providers, internet service providers (ISPs), or telecommunications companies.

Country Distribution

Lastly, the country distribution of the IP ranges proves to be varied and interesting. Of course, we expected that RIR territories and the countries identified would match to a rather large extent. For instance, the U.S. and the U.K. are the top countries for IP ranges belonging to ARIN and RIPE, respectively.

The IP ranges are distributed among several countries. In RIPE’s case, the malicious IP addresses are attributed to about 30 countries.

Chart 2: RIPE distribution of IP ranges in the DROP List per country

The APNIC IP addresses, on the other hand, are distributed across 19 countries.

Chart 3: APNIC distribution of IP ranges in the DROP List per country

Interestingly, not all identified countries belong in a specific RIR’s territory. Among the top countries for the ARIN IP ranges, for example, are the Netherlands, Mauritius, and Bulgaria. These countries are outside ARIN’s service region.

When it comes to the country distribution of IP addresses belonging to RIPE and APNIC, meanwhile, a notable out-of-service country is the U.S. Another finding is the appearance of unknown or unspecified countries (signified as “ZZ”) in the WHOIS records of the malicious IP addresses for APNIC.

Inspecting IP netblock WHOIS data for this particular DROP List led us to conclude that threat actors could be everywhere. An additional step in this study could be to look at the IP geolocation of malicious IP addresses to check if their locations match the country indicated in their IP netblock WHOIS records. After all, while WHOIS data may tell the location of an IP block owner, geoIP allows users to physically measure the location of individual IP addresses.

If you’re a cybersecurity researcher or investigator interested in exploring IP netblocks WHOIS data, feel free to contact us.