Fighting botnets: Service rates reputation of IP addresses

Startup ipTrust opens up an enormous database about botted IP addresses

Startup service provider ipTrust today said it was offering a program that lets businesses avoid botnets and infected machines by letting them know whether IP addresses are linked to suspicious behavior.

The top 10 'most wanted' spam-spewing botnets

By granting access to its database on the known behavior of more than 250 million IP addresses, the company gives customers a means to determine if their own network harbors infected machines that are carrying out malicious activity and whether IP addresses the company comes in contact with are infected, ipTrust says.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Startup service provider ipTrust today said it was offering a program that lets businesses avoid botnets and infected machines by letting them know whether IP addresses are linked to suspicious behavior.

The top 10 'most wanted' spam-spewing botnets

By granting access to its database on the known behavior of more than 250 million IP addresses, the company gives customers a means to determine if their own network harbors infected machines that are carrying out malicious activity and whether IP addresses the company comes in contact with are infected, ipTrust says.

The company is a new division of Endgame Systems, which has compiled the database and sells similar services to governments. Endgame has close links to Internet Security Systems (ISS), with ipTrust’s and Endgame's CEO Christopher Rouland having served as CTO of ISS and ipTrust's and Endgame's COO Daniel Ingevaldson having headed penetration testing there. ISS co-founder Tom Noonan is a member of ipTrust's board.

The company has also won $29 million in Series A funding from investment firms Bessemer Ventures, Columbia Capital, Kleiner Perkins Caufield & Byers and TechOperators.

Initially, ipTrust is offering two services, ipTrust Professional and ipTrust Web.

The first lets customers tap the Endgame database to determine the trustworthiness of IP addresses based on a score from 0 to 1, with 0 indicating a site with no known negative activity, and 1 indicating recent negative activity. This confidence score can be used to help determine how customers treat the sites, Ingevaldson says.

In addition to the score, the service provides a list of specific behaviors that helped determine the score. For example, if an IP address connected to a known botnet command-and-control server today, that would contribute to a bad confidence score. If it connected to the C&C server two years ago and had no other incidents since, the confidence score would better, he says.

Other factors influencing scores include whether the address is part of an Autonomous System or assigned  to an ISP that is suspect.

Customers can use the database to augment their security measures. For example, a business might check the IP address of a machine trying to connect to a corporate network via a VPN to determine whether it has recently exhibited suspicious behavior. IpTrust Professional offers an API to allow customers to fashion connections to it by corporate applications, Ingevaldson says.

The second service, ipTrustWeb, is free and lets users enter a list of IP addresses and sends alerts when any of those addresses demonstrates it has a malware infection. It puts these incidents into perspective by showing, for example, whether infections are in greater concentration in the customer's address range than they are for IP addresses in general. This can give users an insight into what infections are getting past other security controls.

Ingevaldson says that later a premium ipTrust Web service for $1 per IP address per month will offer integration with security incident and event management platforms, offer better alerting and ticketing.