Experienced cybercriminals try to hide their locations behind several levels of proxies, VPNs or TOR nodes. Their IP address will never be directly visible to the computer system. In addition, hackers will always use third-party IP addresses to carry out attacks.
There are countless ways to conduct cyber attacks. But one thing is common to all — the need for a pool of IP addresses to be used as an environment. Criminals need IP addresses to conduct distributed denial-of-service attacks, evade detection, conduct brute force attacks, launch botnets, etc. IP addresses are the most important asset of attackers.
Cybercriminals gain access to IP addresses in various ways. Poorly protected and managed groups of IoT devices, left with default credentials and outdated firmware, are an ideal target for hackers. Criminals can also go to the darknet and purchase a network of bots for DDoS attacks for a couple hundred dollars.
Obtaining IP addresses requires money, time and resources. By interfering in this process, it is possible to disrupt the ability of the criminal to effectively carry out his criminal activities. By blocking known IP addresses used by criminals, you can significantly increase the security of your online assets.
CrowdSec specialists conducted an experiment . They set up two identical virtual dedicated servers (VPS) on a well-known cloud provider with two simple services – SSH and Nginx. CrowdSec was installed on both systems to detect hacking attempts. In addition, a patch agent (IPS) was installed on one device, which received information about the reputation of IP addresses from the CrowdSec community and preemptively blocked tagged IP addresses. The result was extremely impressive.
Thanks to the blacklist, a device with IPS prevented 92% of attacks compared to a system without IPS. This is a noticeable increase in the level of cybersecurity.
“Blacklists” of IP addresses not only harm criminals by nullifying their pool of IP addresses. After all, they have spent time, money, and resources on their creation, and such an approach simply takes away valuable resources from them.
Lists also make life much easier for analysts and information security experts. Thanks to the preventive blocking of hacker IP addresses, “background noise” is significantly reduced. We are talking about a 90% reduction in warnings that SOC employees need to analyze. This allows you to focus on more important warnings and topics.