3 January 2023 | by Xavier Bellekens
In this article, I’m going to walk you through the best possible way to find the reputation of an IP address using Node.js using the Prowl API.
To identify the reputation of an IP address, we aggregate and analyze traffic in real time on our sensors deployed online. We then correlate and build a database of all IPs, geolocation, indicators of attacks, indicators of compromise and much more, and serve it to you via our Prowl API.
Prowl is an API that allows you to send IP and in return obtain the reputation of the IP as well as indicators of attacks and indicators of compromise associated with the address. Lupovis monitors the web in real time and identifies malicious IP addresses for you.
Blocking malicious IP addresses can help to mitigate cyberattacks in a number of ways.
First, many cyberattacks are automated, and rely on the attacker being able to repeatedly send malicious traffic from a large number of IP addresses. By blocking known malicious IP addresses, it becomes more difficult for the attacker to carry out these types of attacks.
Second, blocking malicious IP addresses can help to prevent attackers from gaining a foothold on a network or system. If an attacker is able to compromise a device on a network, they will often try to use that device to launch further attacks, or to pivot to other devices on the network. By blocking the IP addresses associated with the initial attack, it can help to prevent the attacker from being able to carry out these follow-on attacks.
Finally, blocking malicious IP addresses can also help to reduce the overall volume of malicious traffic that a network or system is exposed to. This can help to reduce the impact of an attack, and make it easier for network administrators to identify and respond to the attack.
Today, I’ll show you how to use our newly released Prowl-IP-Reputation Node.js library to perform both an IP Geolocation database lookup and return any associated attack vectors associated with the IP.
To obtain an API key you can visit the Amazon AWS Marketplace and subscribe to our API.
https://aws.amazon.com/marketplace/pp/prodview-cr64x4lse5uui
You will be able to make as many request on the API as needed for $0.02 cents per request.
Once subscribed, you will receive an email with the base URL of the API and the API key.
Now that you have obtained an API key, the next thing you need to do is install the Node.js IP Reputation package. To do so, run the following command:
npm install -g prowl-ip-reputation
This will download and install the latest release of the prowl-ip-reputation package from NPM.
Now that you have your API Key and the prowl-ip-reputation package installed, let’s take a look at some example you can run to obtain the reputation of any IP address you want.
Here’s an example script ip-reputation.js
, which will return the reputation of a popular IP address (8.8.8.8
, one of Google’s core DNS servers):
import { ProwlClient } from 'prowl-ip-reputation'
const client = new ProwlClient(<prowl-base-url>, <prowl-api-key>)
client
.getIpReputation("8.8.8.8")
.then((response) => {
console.log(response);
})
.catch((error) => {
console.error(error);
});
The library is simple to use and integrate within projects, and this can be done in 3 steps.
The following information will be returned in the call back
Object {ip: "8.8.8.8", ttps: []}
This JSON data tells you everything you need to know about the indicators of attacks for the `8.8.8.8` IP address.
When an IP is malicious, it will return a full array in the call back as shown here
Object {ip: "143.110.000.000", ttps: ["dir-busting", "web-traversal"]}
Behind the scenes, the Prowl IP Reputation API service is handling all the information and does lookups within our database and data aggregation — getting data from sensors and processing millions of updates per day.
As you have seen how easy it is to identify malicious IP addresses using the Prowl-IP-Reputation library, you should now be able to start implementing IP blocking into all of your product and services, eliminating the bulk of cyberattacks, bots, spam and opportunistic attacks.
Some really common use cases include:
There is no hard and fast rule for how long you should block an IP address. The appropriate length of time to block an IP address will depend on the specific circumstances of the attack and the needs of your organization.
In some cases, you may only want to block an IP address for a short period of time (Days) , in order to disrupt an ongoing attack. In other cases, you may want to block an IP address for a longer period of time (Months), in order to prevent the attacker from being able to use the same IP address to launch further attacks in the future.
In general, it is a good idea to review your list of blocked IP addresses on a regular basis, and to unblock any IP addresses that are no longer considered to be a threat. This can help to ensure that your network is protected from current threats, while minimizing the impact on legitimate users.
We typically recommend blocking IP addresses for 1 to 3 weeks at a time and then flushing the rules. If the malicious user / bot visit your service again, you are only a request away from blocking them.
To wrap things up: performing IP reputation lookups doesn’t have to be hard or expensive. By using our new Prowl-IP-Reputation Node.js library and the Prowl IP Reputation Service you can easily build and manage and protect even a large web product easily.
3 January 2023 | by Xavier Bellekens