About Teletype
Join
Check.Point Docs
@checkpointdocs
November 17, 2022

Technical documentation of the "Check.Point" IP analysis system

Welcome to the technical documentation section of our system. Here we will describe the methodologies and algorithms of IP address analysis, as well as the bases used and the interpretation of the results.

System modules:

Content:

1. Geolocation

2. Usage Type

3. ISP INFO

4. Threat Module

5. Blacklists

6. AbuseIPDB Module

7. Spam Signals

8. MinFraud API Score

9. Financial Risk Rating Score

10. Anti-Fraud Conclusion

Geolocation Module

The system is based on the databases of the Maxmind service The company was founded in 2002 by Thomas "TJ" Mather in Walten, Massachusetts, USA. It is a leader in creating network maps and providing IP address data, as well as Anti-Fraud systems. MaxMind provides IP analytics through its GeoIP brand. More than 5000 companies use GeoIP data to locate their visitors on the Internet and show them relevant content and advertisements, perform analytics, enforce digital rights and route Internet traffic efficiently. Companies can get more information about their customers' connection speeds, ISPs, and more using GeoIP data. MaxMind's industry-leading MinFraud service helps businesses prevent fraudulent online transactions and reduce manual audits. The minFraud service is used to verify more than 175 million e-commerce transactions and account registrations per month. More than 7,000 ecommerce and other online businesses use minFraud through customer and partner networks.

The output of the result is extremely simple:

One of our top priorities is to ensure that our data is as accurate as possible. We frankly inform our clients about errors and inaccuracies in measurements.
Bases cannot guarantee 100% accuracy of geolocation. Accuracy varies greatly depending on country, distance, type of IP address (cellular or broadband, IPv4 or IPv6) and ISP practices. We do not guarantee an exact match with our competitors because we may use different bases.

Given these limitations, we believe that GeoIP2 products can identify users at the country level with 99.8% accuracy. For IP addresses located in the US, we estimate accuracy of about 80% at the state/region level and 66% accuracy for cities (within a 50-100 km radius of that city)

In the above example, GeoIP2 products and services return the coordinates 42.1293, -72.7522 with an accuracy radius of 100 km.

GeoIP2 databases are updated daily and the Maxmind team has been working to improve their performance for over 20 years!

GeoIP2 geolocation databases and web services cover almost all publicly available IP addresses used worldwide, even in Antarctica.

This also applies to the MAP VIEW block. The error in the figures is 50-100 km. I.e. having border zones between states, we can get new readings from time to time. Keep this in mind.


Parameter : <Usage Type>

The system analyzes the data transmitted by the IP address as well as other indirect factors to determine the type of connection. It recognizes the following types:

●business ●cafe ●cellular ●college ●content_delivery_network ●dialup ●government ●hosting ●library ●military ●residential ●school ●search_engine_spider ●traveler

ISP Information Module

Outputs information by ISP ( Internet Service Provider ) about a particular IP. The database contains about 10 thousand names from all over the world.

1. ASN number
2. Name of the Internet Service Provider campaign.
3. Number of users in the last 24 hours. ( Beta version)

Threat Triggers Module

Type of dispensing in the telegram bot.

Types of Anonymizers

We distinguish five different types of anonymizers:

  • VPN
  • hosting providers
  • public proxies
  • residential proxies
  • and TOR exit nodes

VPN

Virtual private networks (VPNs) are usually a paid service where a customer can access the Internet using an IP address provided by a third party. This third party acts as an intermediary for all browsing done by the user.

Many VPN users are privacy-conscious and do not necessarily engage in any malicious activity.

Hosting Providers

Web hosting services can be used to create private proxy servers, and many VPN services use hosting providers instead of registering their own ranges of IP addresses. This means that if you see end-user related traffic originating from a hosting provider, the end-user is probably using the VPN, even if the checker has not identified it as such.

Public Proxies

Publicly available proxies are usually readily available and openly published.

Residential Proxies

Resident proxies are harder to detect than other types of proxies because these IP addresses appear to be associated with legitimate resident ISPs.

TOR Exit Nodes

These are the IP addresses used as output nodes for the TOR network. Traffic from these nodes is relayed through multiple servers to maintain anonymity.

Blacklist Analysis Module

The unit checks the IP address for presence in one of the checked blacklists. At this moment the system checks 46 lists at a time! We plan to expand this number to 100+
This is a necessary check of address quality. Blacklist can be for some minor spam, as well as for serious offenses.

Using Services:

0SPAM
Abuse.ro
Abusix Mail Intelligence Blacklist
Abusix Mail Intelligence Domain Blacklist
Abusix Mail Intelligence Exploit list
Anonmails DNSBL
BACKSCATTERER
BLOCKLIST.DE
CALIVENT
CYMRU BOGONS
CYMRU BOGONS IPv6
DAN TOR
DAN TOREXIT
DNS SERVICIOS
DRMX
DRONE BL
FABELSOURCES
HIL
HIL2
Hostkarma Black
IBM DNS Blacklist
ICMFORBIDDEN
IMP SPAM
IMP WORM
INTERSERVER
ivmSIP
ivmSIP24
JIPPG
KEMPTBL
KISA
Konstant
LASHBACK
LNSGBLOCK
LNSGBULK
LNSGMULTI
LNSGOR
LNSGSRC
MADAVI
MAILSPIKE BL
MAILSPIKE Z
MSRBL Phishing
MSRBL Spam
NETHERRELAYS
NETHERUNSURE
NIXSPAM
Nordspam BL
NoSolicitado
ORVEDB

IP Abuse Alerts Module:

Block checking IP address for Abuse Alerts parameter with the service https://www.abuseipdb.com/.

It is a reputable service , has been in operation since 2016 under the leadership of the team of Marathon Studios Inc.

AbuseIPDB is a project designed to help system administrators and webmasters check and report on IP addresses that are involved in malicious activities such as spamming, hacking attempts, DDoS attacks, etc.
Abuse Alerts parameter showing the number of complaints received by the given IP. Service provides information on each "complaint" on the address. It also maintains statistics on the reports: Number of IPs that received complaints Geolocation and country charts.

Categories of reports recognized by the service :

1. DNS Compromise: 
Altering DNS records resulting in improper redirection.
2. DNS Poisoning:
Falsifying domain server cache (cache poisoning).
3. Fraud Orders:
Fraudulent orders.
4. DDoS Attack:
Participating in distributed denial-of-service (usually part of botnet).
5. FTP Brute-Force
6. Ping of Death:
Oversized IP packet.
7. Phishing:
Phishing websites and/or email.
8. Fraud VoIP
10. Open Proxy:
Open proxy, open relay, or Tor exit node.
11. Web Spam:
Comment/forum spam, HTTP referer spam, or other CMS spam.
12. Email Spam:
Spam email content, infected attachments, and phishing emails.
13. Blog Spam:
CMS blog comment spam.
14. VPN IP:
Conjunctive category.
15. Port Scan:
Scanning for open ports and vulnerable services.
16. Hacking :
Attempts at hacking devices\servers\routers.
17. SQL Injection :
Attempts at SQL injection.
18. Spoofing : Email sender spoofing.
19. Brute-Force:
Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc. This category is seperate from DDoS attacks.
20. Bad Web Bot:
Webpage scraping (for email addresses, content, etc) and crawlers that do not honor robots.txt. Excessive requests and user agent spoofing can also be reported here.
21. Exploited Host:
Host is likely infected with malware and being used for other attacks or to host malicious content. The host owner may not be aware of the compromise. This category is often used in combination with other attack categories.
22. Web App Attack:
Attempts to probe for or exploit installed web applications such as a CMS like WordPress/Drupal, e-commerce solutions, forum software, phpMyAdmin and various other software plugins/solutions.
23. SSH:
Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
24. IoT Targeted:
Abuse was targeted at an "Internet of Things" type device. Include information about what type of device was targeted in the comments.

Confidence of Abuse :

New to the AbuseIPDB service, added recently, but has shown good results in tests.

This number is an estimate (on a scale from 0 to 100) of how likely it is, based on user reports, that an IP address is completely malicious.

Since this metric can be used as a basis for blocking connections, we are very careful to condemn only addresses that have a large number of AbuseIPDB users testifying against them. The validity rating is determined by the reports and their age. The baseline value is the natural logarithmic value of the various user reports.

Spam Signals

Block checking IP-addresses for presence in the largest spam-blacklists:

Barracuda SPAMHAUS SpamCop

Type of dispensing in the telegram bot.

Not much of a factor in the ford, but we try to take all the details into account.

MinFraud API Score

It should be understood that this service provides tools not only for IP analysis, but also for full control over merchant transactions. Because we check only IP here, we do not touch the deeper features of maxmind, for now =) .

The minFraud network gets information from all users of Maxmind services.

More than 7000 companies all over the world use the services of this company. This includes sole proprietors, Fortune 100 companies and everything in between. The minFraud risk assessment modeling takes into account all of the transactions made in this network of businesses over the past year. That's more than 3 billion transactions.

These transactions help the minFraud service collect reputation data for a number of digital identities. The minFraud network allows us to flag suspicious IP addresses and devices based on their network activity.

With so many different types of businesses and transactions in the minFraud network, we can monitor risk more closely across industries and verticals. This means that small businesses will benefit from the risk patterns of larger businesses and institutions, and larger businesses will benefit from the risk signals we see in small businesses that can be missed with larger transaction volumes.


Machine learning and data analysis on these billions of transactions is also based on behavior. These metrics are not only based on fraudulent actions already committed, but also apply behavioral patterns to more accurately identify untrustworthy IP addresses.

The minFraud services return an overall risk score, which takes into account a number of risk factor scores. Each of these estimates represents the probability that the IP is unsafe for the merchant. The various risk factor scores are weighted and combined with other factors.

The total score can be broken down into several risk factor scores.

All risk scores are given as percentages ranging from 0.01 to 99. For example, a risk score of 20.00 means that the IP has a 20 percent chance of being fraudulent, and a risk score of 0.10 means that the IP has a 0.1 percent chance of being fraudulent.


"Internals." A detailed description of the check results inside the Maxmind system.

Causes of increased risk are displayed when one of the following conditions occurs:

  • The IP address is associated with an anonymizer such as a VPN or other proxy.
  • The IP address has been flagged because of a speed check.
    • The IP was used to send transactions with many different payment addresses in a short period of time.
    • The IP was used to send transactions with many different email addresses over a short period of time.
    • The IP was used to send transactions with many different credit card issuer identification numbers over a short period of time.
  • The IP address was used by a high-risk email address.
  • The IP address was used by a high-risk device.
  • The IP address was flagged because of other activity on the minFraud network.


Financial Risk Rating Score

A parameter calculated based on dozens of metrics, including those mentioned above, as well as information from banking systems and financial institutions. As well as honeypot systems of the largest banking organizations such as J.P. Morgan, FCCA, Wheels Fargo, Austria Bank, HSBC, BNP Paribas, DeutscheBank, UBS, CitiGroup, Capital One, etc. (more than 30+ names).
In addition metrics from Cisco Talos is attached.

It is represented by a scale from 0-100, where 0 is no questions about the IP address. Range 8-20 is a debatable zone, IP is not dangerous for financial systems but has questions on any of the parameters.
Anything above 21 indicates the risk of the IP address being unreliable or dangerous for the financial systems and databases, as well as various merchants (payment systems) and so on. Usually, transactions marked with this mark are sent for manual processing and analysis.

The view of the scale in the telegram bot.

Anti-Fraud Conclusion:

( Anti-Fraud Conclusion) - A summary metric expressing the "ratio" of most major AF systems to the direct IP address.

A summary of all calculations and metrics. Including FRRS, MAXMIND MinFraudScore, etc.
Output and interpretation is as simple as possible:

Check.Point Docs
November 17, 2022, 02:15
0 reactions
0 views